Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

198 advisories

Loading
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation Moderate
GHSA-m23h-6mwm-39m8 was published for github.com/kong/kubernetes-ingress-controller (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Moderate
CVE-2026-45737 was published for github.com/argoproj/argo-cd/v3 (Go) May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
Ech0 comment model's Email field returned on public /api/comments endpoints Moderate
GHSA-rj4g-rqgh-rx9h was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
Nginx-UI Settings API Exposes Protected Secrets Moderate
CVE-2026-42223 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
yotampe-pluto Credited to yotampe-pluto
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback Moderate
CVE-2026-42220 was published for github.com/0xJacky/Nginx-UI (Go) May 5, 2026
lilmingwa13 Credited to lilmingwa13
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
Cillium exposes sensitive information included in the cilium-bugtool debug archive High
CVE-2026-41520 was published for github.com/cilium/cilium (Go) Apr 25, 2026
tklauser Credited to tklauser and kodareef5 kodareef5 kodareef5
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
CVE-2026-41323 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints Critical
CVE-2026-40173 was published for github.com/dgraph-io/dgraph (Go) Apr 16, 2026
komi22 Credited to komi22
Pyroscope Exposes Storage Secret Critical
CVE-2025-41118 was published for github.com/grafana/pyroscope (Go) Apr 15, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access High
CVE-2026-40885 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication High
CVE-2026-40245 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine High
CVE-2026-34984 was published for github.com/external-secrets/external-secrets (Go) Apr 13, 2026
kodareef5 Credited to kodareef5
HashiCorp's go-getter library may allow arbitrary file reads High
CVE-2026-4660 was published for github.com/hashicorp/go-getter (Go) Apr 9, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database