Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,323 advisories

Loading
Harbor: LDAP password and OIDC secret are not redacted in the audit log Moderate
GHSA-prh4-vhfh-24mj was published for github.com/goharbor/harbor (Go) Mar 26, 2026
Ella Core Panics during NAS Authentication Response/Failure with missing IEs Moderate
CVE-2026-33907 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has a Denial of Service via SCTP connection cleanup deadlock Moderate
CVE-2026-33904 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core panics when processing a crafted NGAP LocationReport message Moderate
CVE-2026-33903 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Contrast BadAML injection allows arbitrary code execution High
GHSA-g9ww-x58f-9g6m was published for github.com/edgelesssys/contrast (Go) Mar 26, 2026
katexochen Credited to katexochen and sespiros sespiros sespiros
OpenBao has Reflected XSS in its OIDC authentication error message Critical
CVE-2026-33758 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
OpenBao lacks user confirmation for OIDC direct callback mode Critical
CVE-2026-33757 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
BuildKit Git URL subdir component can cause access to restricted files High
CVE-2026-33748 was published for github.com/moby/buildkit (Go) Mar 26, 2026
BuildKit's Malicious frontend can cause file escape outside of storage root High
CVE-2026-33747 was published for github.com/moby/buildkit (Go) Mar 26, 2026
1seal Credited to 1seal
OpenFGA has an Authorization Bypass through cached keys Moderate
CVE-2026-33729 was published for github.com/openfga/openfga (Go) Mar 26, 2026
justincoh Credited to justincoh and saad-h1 saad-h1 saad-h1
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR Critical
GHSA-2pv8-4c52-mf8j was published for code.vikunja.io/api (Go) Mar 26, 2026
offset Credited to offset
Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic Moderate
CVE-2026-33726 was published for github.com/cilium/cilium (Go) Mar 26, 2026
Champ-Goblem Credited to Champ-Goblem, sudeephb, julianwiedmann, and smagnani96 sudeephb sudeephb
julianwiedmann julianwiedmann smagnani96 smagnani96
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion Moderate
CVE-2026-33700 was published for code.vikunja.io/api (Go) Mar 25, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download Moderate
CVE-2026-33679 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API Moderate
CVE-2026-33677 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read Moderate
CVE-2026-33676 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources Moderate
CVE-2026-33675 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE Low
CVE-2026-33529 was published for github.com/tobychui/zoraxy (Go) Mar 25, 2026
JakePeralta7 Credited to JakePeralta7
SiYuan has directory traversal within its publishing service Critical
CVE-2026-33670 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 25, 2026
CongSec Credited to CongSec
SiYuan has Arbitrary Document Reading within the Publishing Service Critical
CVE-2026-33669 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 25, 2026
CongSec Credited to CongSec
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead High
CVE-2026-27889 was published for github.com/nats-io/nats-server/v2 (Go) Mar 25, 2026
Mistz1 Credited to Mistz1 and jiayuqi7813 jiayuqi7813 jiayuqi7813
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database