Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,121
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,121 advisories

Loading
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding Moderate
CVE-2026-29773 was published for github.com/kubewarden/kubewarden-controller (Go) Mar 9, 2026
thevilledev Credited to thevilledev
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Moderate
CVE-2026-29195 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion High
CVE-2026-28512 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
ByamB4 Credited to ByamB4
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation Critical
CVE-2026-30861 was published for github.com/Tencent/WeKnora (Go) Mar 7, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Critical
CVE-2026-30860 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora has Broken Access Control - Cross-Tenant Data Exposure High
CVE-2026-30859 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources High
CVE-2026-30858 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection Moderate
CVE-2026-30856 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Broken Access Control in Tenant Management Critical
CVE-2026-30855 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Caddy's vars_regexp double-expands user input, leaking env vars and files Moderate
CVE-2026-30852 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp (Go) Mar 6, 2026
sammiee5311 Credited to sammiee5311
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import Critical
CVE-2026-30832 was published for github.com/charmbracelet/soft-serve (Go) Mar 6, 2026
vnykmshr Credited to vnykmshr
Zarf's symlink targets in archives are not validated against destination directory High
CVE-2026-29064 was published for github.com/zarf-dev/zarf/src/pkg/archive (Go) Mar 6, 2026
joonas Credited to joonas
CoreDNS Loop Detection Denial of Service Vulnerability High
CVE-2026-26018 was published for github.com/coredns/coredns (Go) Mar 6, 2026
YOUNEVSKY Credited to YOUNEVSKY
PinchTab has SSRF with Full Response Exfiltration via Download Handler High
CVE-2026-30834 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
CoreDNS ACL Bypass High
CVE-2026-26017 was published for github.com/coredns/coredns (Go) Mar 6, 2026
YOUNEVSKY Credited to YOUNEVSKY
WeKnora is Vulnerable to SSRF via Redirection Moderate
CVE-2026-30247 was published for github.com/Tencent/WeKnora (Go) Mar 5, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
OliveTin doesn't check view permission when returning dashboards Moderate
CVE-2026-30233 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database