Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

12,202 advisories

Loading
Apache Answer Cross-site Scripting vulnerability Moderate
CVE-2024-23349 was published for github.com/apache/incubator-answer (Go) Feb 22, 2024
litellm vulnerable to improper access control in team management Moderate
CVE-2024-5710 was published for litellm (pip) Jun 27, 2024
byt3bl33d3r Credited to byt3bl33d3r
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation Moderate
GHSA-xw6w-9jjh-p9cr was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
Scriban: Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToString Moderate
GHSA-m2p3-hwv5-xpqw was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching Moderate
CVE-2026-33248 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers Moderate
CVE-2026-33246 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing Moderate
CVE-2026-33223 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to MQTT hijacking via Client ID Moderate
CVE-2026-33215 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
Tinyauth's OIDC authorization codes are not bound to client on token exchange Moderate
CVE-2026-32245 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
CNA Plugins Portmap nftables backend can intercept non-local traffic Moderate
CVE-2025-67499 was published for github.com/containernetworking/plugins (Go) Dec 9, 2025
agusdallalba Credited to agusdallalba and champtar champtar champtar
Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication Moderate
CVE-2026-2808 was published for github.com/hashicorp/consul (Go) Mar 12, 2026
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload Moderate
CVE-2026-30961 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gokapi vulnerable to DoS in E2E Metadata Parser Moderate
CVE-2026-30955 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, Forceu, and aisafe-bot Forceu Forceu
aisafe-bot aisafe-bot
Gokapi vulnerable to Privilege Escalation in File Replace Moderate
CVE-2026-30943 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes Moderate
CVE-2026-30915 was published for github.com/drakkan/sftpgo/v2 (Go) Mar 13, 2026
SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy Moderate
CVE-2026-30914 was published for github.com/drakkan/sftpgo (Go) Mar 13, 2026
mcantrell Credited to mcantrell
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
NATS: Message tracing can be redirected to arbitrary subject Moderate
CVE-2026-33249 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database