Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,653 advisories

Loading
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery Moderate
CVE-2026-42576 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
brianaydemir Credited to brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson jhiemstrawisc jhiemstrawisc
matyasselmeci matyasselmeci williamnswanson williamnswanson
Distribution's tag deletion bypasses `storage.delete.enabled` configuration Moderate
CVE-2026-41888 was published for github.com/distribution/distribution (Go) May 4, 2026
joonas Credited to joonas
Argo vulnerable to exposure of artifact repository credentials High
CVE-2026-42295 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Masamuneee Credited to Masamuneee, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure High
CVE-2026-42296 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
vnykmshr Credited to vnykmshr, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor High
CVE-2026-42294 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
Rudra2018 Credited to Rudra2018, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) Low
CVE-2026-42183 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Wernerina Credited to Wernerina, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has Missing Authorization in its Sync ConfigMap Provider High
CVE-2026-42297 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
nebojsaj1726 Credited to nebojsaj1726, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Nil Dereferences on Restore via Malformed YAML Moderate
CVE-2026-41684 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Low
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Nil-Pointer Dereference via S3 Bucket Import Moderate
CVE-2026-41647 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, and fidencio calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio
Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service Moderate
CVE-2026-41181 was published for github.com/traefik/traefik/v2 (Go) May 4, 2026
lalalala5678 Credited to lalalala5678
Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move High
CVE-2026-40893 was published for github.com/gotenberg/gotenberg/v8 (Go) May 4, 2026
AnuragBathani Credited to AnuragBathani
Incus Vulnerable to Panic via Snapshot Bounds Check Moderate
CVE-2026-40251 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots Low
CVE-2026-40243 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference via Custom Volume Import Moderate
CVE-2026-40197 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference Panic via Bucket Metadata Moderate
CVE-2026-40195 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Blind SSRF via Image Import Preflight HEAD Moderate
CVE-2026-35527 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Contras Affected by CopyFile Policy Subversion via Symlinks High
GHSA-rh99-wc69-c255 was published for github.com/edgelesssys/contrast (Go) Apr 30, 2026
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets) High
CVE-2026-42461 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 30, 2026
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation Critical
CVE-2026-42560 was published for github.com/go-pkgz/auth (Go) Apr 30, 2026
Nadav0077 Credited to Nadav0077
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database