Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,270 advisories

Loading
Ory Keto has a SQL injection via forged pagination tokens High
CVE-2026-33505 was published for github.com/ory/keto (Go) Mar 20, 2026
Ory Hydra has a SQL injection via forged pagination tokens High
CVE-2026-33504 was published for github.com/ory/hydra (Go) Mar 20, 2026
Ory Kratos has a SQL injection via forged pagination tokens High
CVE-2026-33503 was published for github.com/ory/kratos (Go) Mar 20, 2026
Ory Oathkeeper has a path traversal authorization bypass Critical
CVE-2026-33494 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by cache key confusion High
CVE-2026-33496 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
etcd: Authorization bypasses in multiple APIs High
CVE-2026-33413 was published for go.etcd.io/etcd (Go) Mar 20, 2026
manizada Credited to manizada
MinIO LDAP login brute-force via user enumeration and missing rate limit Critical
CVE-2026-33419 was published for github.com/minio/minio (Go) Mar 20, 2026
harshavardhana Credited to harshavardhana, donatello, and taran-p donatello donatello
taran-p taran-p
Syft improper temporary file cleanup Moderate
CVE-2026-33481 was published for github.com/anchore/syft (Go) Mar 20, 2026
htrgouvea Credited to htrgouvea
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal High
CVE-2026-33476 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 20, 2026
mith36 Credited to mith36
Vikunja Affected by DoS via Image Preview Generation Moderate
CVE-2026-33474 was published for code.vikunja.io/api (Go) Mar 20, 2026
Aryma-f4 Credited to Aryma-f4
Vikunja has TOTP Reuse During Validity Window Moderate
CVE-2026-33473 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
etcd: Nested etcd transactions bypass RBAC authorization checks Low
CVE-2026-33343 was published for go.etcd.io/etcd (Go) Mar 20, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Vikunja has a 2FA Bypass via Caldav Basic Auth Moderate
CVE-2026-33315 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
Vikunja read-only users can delete project background images via broken object-level authorization Moderate
CVE-2026-33312 was published for code.vikunja.io/api (Go) Mar 20, 2026
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Moderate
CVE-2026-32595 was published for github.com/traefik/traefik (Go) Mar 20, 2026
f1veT Credited to f1veT
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config High
CVE-2026-32305 was published for github.com/traefik/traefik (Go) Mar 20, 2026
InfinityHub123 Credited to InfinityHub123
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers Moderate
CVE-2026-29794 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
ingress-nginx comment-based nginx configuration injection High
CVE-2026-4342 was published for k8s.io/ingress-nginx (Go) Mar 20, 2026
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG High
CVE-2026-33344 was published for github.com/dagu-org/dagu (Go) Mar 19, 2026
vnykmshr Credited to vnykmshr
Packetbeat does not properly validate an array index in multiple protocol parser components Moderate
CVE-2026-26933 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
Metricbeat Allocates Memory with Excessive Size Value Leading to Denial of Service Moderate
CVE-2026-26931 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database