GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
9 advisories
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store
Low
GHSA-6vgg-xhvh-38ff
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 12, 2026
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
Moderate
CVE-2026-47768
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 10, 2026
nebula-mesh: Session and OIDC state cookies lack the Secure attribute
Moderate
CVE-2026-48058
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 10, 2026
nebula-mesh: Decrypted CA private key persists in heap after signing
Moderate
CVE-2026-48025
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 10, 2026
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
High
CVE-2026-47726
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints
High
CVE-2026-47725
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
Critical
CVE-2026-47724
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
High
CVE-2026-47723
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
High
CVE-2026-47722
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 8, 2026
ProTip!
Advisories are also available from the
GraphQL API