Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,077
Maven
5,000+
npm
4,972
NuGet
825
pip
4,414
Pub
12
RubyGems
988
Rust
1,159
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,077 advisories

Loading
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover High
CVE-2026-29192 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication High
CVE-2026-29193 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Moderate
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint High
CVE-2026-29771 was published for github.com/gravitl/netmaker (Go) Mar 4, 2026
m4dn355 Credited to m4dn355
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) High
CVE-2026-29054 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation High
CVE-2026-29042 was published for github.com/nuclio/nuclio (Go) Mar 4, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints Moderate
CVE-2026-3351 was published for github.com/canonical/lxd (Go) Mar 4, 2026
bugbunny-research Credited to bugbunny-research
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) High
CVE-2026-26999 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS Moderate
CVE-2026-26998 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
sm1ee Credited to sm1ee
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access Moderate
CVE-2026-29073 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 3, 2026
rezmoss Credited to rezmoss
Rancher Backup Operator pod's logs leak S3 tokens Moderate
CVE-2025-62879 was published for github.com/rancher/backup-restore-operator (Go) Mar 3, 2026
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user High
GHSA-hwm2-4ph6-w6m5 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's weave CNI password is not configured when a cluster is created from an RKE template Moderate
CVE-2022-21951 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's Azure AD permission changes are not reflected on active sessions High
CVE-2023-22648 was published for github.com/rancher/rancher (Go) Mar 3, 2026
yvespp Credited to yvespp
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI Moderate
CVE-2026-29049 was published for chainguard.dev/melange (Go) Mar 2, 2026
1seal Credited to 1seal, antitree, and 89luca89 antitree antitree
89luca89 89luca89
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling High
GHSA-45m3-398w-m2m9 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory High
CVE-2026-28492 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 2, 2026
uug4na Credited to uug4na and hacdias hacdias hacdias
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint High
CVE-2026-28342 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
fg0x0 Credited to fg0x0
malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability Moderate
GHSA-54p8-x2m9-c593 was published for github.com/chainguard-dev/malcontent (Go) Mar 2, 2026
1seal Credited to 1seal, stevebeattie, and egibs stevebeattie stevebeattie
egibs egibs
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database