Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

97 advisories

Loading
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
ExternalSecrets vulnerable to privilege escalation with secret overwriting Moderate
CVE-2026-42876 was published for github.com/external-secrets/external-secrets/apis (Go) May 8, 2026
factory-nizar Credited to factory-nizar and factory-kirk factory-kirk factory-kirk
External Secrets Operator has Namespace Isolation Bypass in CAProvider ConfigMap Resolution for SecretStore Moderate
CVE-2026-42875 was published for github.com/external-secrets/external-secrets (Go) May 5, 2026
moolen Credited to moolen
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books Moderate
CVE-2026-41572 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions High
CVE-2026-40246 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
monetr: Protected Transactions Deletable via PUT Moderate
CVE-2026-39901 was published for github.com/monetr/monetr (Go) Apr 8, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, th3fallen, and elliotcourant Across-Verticals-Malaysia Across-Verticals-Malaysia
th3fallen th3fallen elliotcourant elliotcourant
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions Moderate
CVE-2026-21724 was published for github.com/grafana/grafana (Go) Mar 26, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
Juju has unauthorized update of out-of-scope Vault secrets High
CVE-2026-32692 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
gRPC-Go has an authorization bypass via missing leading slash in :path Critical
CVE-2026-33186 was published for google.golang.org/grpc (Go) Mar 18, 2026
MariuszMaik Credited to MariuszMaik
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB Moderate
CVE-2026-32704 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 13, 2026
fg0x0 Credited to fg0x0
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning Low
GHSA-q926-c743-49qj was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints High
GHSA-xfx2-prg5-jq3g was published for github.com/romitou/insatutorat (Go) Mar 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database