Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

167 advisories

Loading
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) Moderate
CVE-2026-45712 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals Moderate
CVE-2026-45682 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload High
CVE-2026-44697 was published for github.com/klever-io/klever-go (Go) May 13, 2026
fbsobreira Credited to fbsobreira
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count Moderate
GHSA-pj6q-4vq4-r8cg was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled High
GHSA-9fw6-xgg2-mq9q was published for github.com/apernet/hysteria/core/v2 (Go) May 5, 2026
Cherrling Credited to Cherrling
Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes High
CVE-2026-7776 was published for github.com/hashicorp/boundary (Go) May 5, 2026
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor High
CVE-2026-42294 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
Rudra2018 Credited to Rudra2018, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Moderate
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
CoreDNS' DoQ worker pool does not bound stream backlog High
CVE-2026-32934 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations High
CVE-2026-5807 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation High
CVE-2026-40481 was published for github.com/monetr/monetr (Go) Apr 14, 2026
Jvr2022 Credited to Jvr2022, th3fallen, and elliotcourant th3fallen th3fallen
elliotcourant elliotcourant
Vikunja has File Size Limit Bypass via Vikunja Import Moderate
CVE-2026-35602 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing High
CVE-2026-39414 was published for github.com/minio/minio (Go) Apr 9, 2026
klauspost Credited to klauspost, marktheunissen, donatello, XlabAITeam, and harshavardhana marktheunissen marktheunissen
donatello donatello XlabAITeam XlabAITeam harshavardhana harshavardhana
Mattermost MS Teams plugin doesn't limit the request body size on the /lifecycle webhook endpoint Low
CVE-2026-21388 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Apr 9, 2026
Mattermost MS Teams plugin doesn't limit the request body size on the /changes webhook endpoint Moderate
CVE-2026-24661 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Apr 9, 2026
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) High
CVE-2026-29181 was published for go.opentelemetry.io/otel (Go) Apr 7, 2026
1seal Credited to 1seal, XSAM, and Ankush-Pathak XSAM XSAM
Ankush-Pathak Ankush-Pathak
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database