GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
198 advisories
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Moderate
CVE-2026-47124
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation
Moderate
GHSA-m23h-6mwm-39m8
was published
for
github.com/kong/kubernetes-ingress-controller
(Go)
May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure
Low
CVE-2026-45683
was published
for
go.opentelemetry.io/obi
(Go)
May 18, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source
High
CVE-2026-42283
was published
for
github.com/loft-sh/devspace
(Go)
May 6, 2026
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update
High
CVE-2026-44881
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
Unauthorized access to Argo Workflows Template
High
CVE-2026-28229
was published
for
github.com/argoproj/argo-workflows/v3
(Go)
Mar 11, 2026
Cillium exposes sensitive information included in the cilium-bugtool debug archive
High
CVE-2026-41520
was published
for
github.com/cilium/cilium
(Go)
Apr 25, 2026
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Critical
CVE-2026-42880
was published
for
github.com/argoproj/argo-cd/v3
(Go)
May 7, 2026
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Moderate
CVE-2026-30246
was published
for
github.com/gofiber/fiber/v3
(Go)
Apr 28, 2026
Ech0 comment model's Email field returned on public /api/comments endpoints
Moderate
GHSA-rj4g-rqgh-rx9h
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Nginx-UI Settings API Exposes Protected Secrets
Moderate
CVE-2026-42223
was published
for
github.com/0xJacky/nginx-ui
(Go)
May 6, 2026
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Moderate
CVE-2026-42220
was published
for
github.com/0xJacky/Nginx-UI
(Go)
May 5, 2026
Prometheus Azure AD remote write OAuth client secret exposed via config API
High
CVE-2026-42151
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Critical
CVE-2026-41492
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 24, 2026
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
High
CVE-2026-34984
was published
for
github.com/external-secrets/external-secrets
(Go)
Apr 13, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
High
CVE-2026-40885
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
Critical
CVE-2026-40173
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API