Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,343 advisories

Loading
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted High
GHSA-c279-989m-238f was published for github.com/bishopfox/sliver (Go) Mar 29, 2026
VarshankNaik Credited to VarshankNaik
XPath: Boolean expression infinite loop leads to denial of service via CPU exhaustion High
CVE-2026-32287 was published for github.com/antchfx/xpath (Go) Mar 29, 2026
MinIO is Vulnerable to SSE Metadata Injection via Replication Headers High
CVE-2026-34204 was published for github.com/minio/minio (Go) Mar 27, 2026
harshavardhana Credited to harshavardhana, donatello, and shtripat donatello donatello
shtripat shtripat
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField Moderate
CVE-2026-33433 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
0xVijay Credited to 0xVijay
Flannel has cross-node remote code execution via extension backend BackendData injection High
CVE-2026-32241 was published for github.com/flannel-io/flannel (Go) Mar 27, 2026
shachartal Credited to shachartal
A Fleet team maintainer can transfer hosts from any team via missing source team authorization Moderate
CVE-2026-29180 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
act: actions/cache server allows malicious cache injection High
CVE-2026-34042 was published for github.com/nektos/act (Go) Mar 27, 2026
programmerjake Credited to programmerjake
act: Unrestricted set-env and add-path command processing enables environment injection High
CVE-2026-34041 was published for github.com/nektos/act (Go) Mar 27, 2026
golang-not-rust Credited to golang-not-rust
Fleet's unbounded request body read allows remote Denial of Service High
CVE-2026-26061 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
MagnusHJensen Credited to MagnusHJensen
Fleet: Password reset tokens remain valid after password change for 24 hours Moderate
CVE-2026-26060 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Moderate
CVE-2026-32695 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
b-hermes Credited to b-hermes
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland and manizada manizada manizada
Moby has an Off-by-one error in its plugin privilege validation Moderate
CVE-2026-33997 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland
Incus has an abitrary file write through its systemd-creds options Critical
CVE-2026-33945 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stgraber Credited to stgraber, grmpyninja, and stamparm grmpyninja grmpyninja
stamparm stamparm
Local Incus UI web server vulnerable to nuthentication bypass High
CVE-2026-33898 was published for github.com/lxc/incus/v6/cmd/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
Incus vulnerable to arbitrary file read and write through pongo templates Critical
CVE-2026-33897 was published for github.com/lxc/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
Incus vulnerable to denial of source through crafted bucket backup file Moderate
CVE-2026-33743 was published for github.com/lxc/incus (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus vulnerable to local privilege escalation through VM screenshot path Moderate
CVE-2026-33711 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus does not verify combined fingerprint when downloading images from simplestreams servers High
CVE-2026-33542 was published for github.com/lxc/incus/v6/client (Go) Mar 27, 2026
wl2018 Credited to wl2018 and stgraber stgraber stgraber
Harbor: LDAP password and OIDC secret are not redacted in the audit log Moderate
GHSA-prh4-vhfh-24mj was published for github.com/goharbor/harbor (Go) Mar 26, 2026
Ella Core Panics during NAS Authentication Response/Failure with missing IEs Moderate
CVE-2026-33907 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has a Denial of Service via SCTP connection cleanup deadlock Moderate
CVE-2026-33904 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core panics when processing a crafted NGAP LocationReport message Moderate
CVE-2026-33903 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database