Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

76 advisories

Loading
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization High
CVE-2026-44882 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer has a bind-mount restriction bypass via HostConfig.Mounts High
CVE-2026-44850 was published for github.com/portainer/portainer (Go) May 14, 2026
offensiveee Credited to offensiveee, alexwaira, Proscan-one, jeroengui, AyushParkara, and marduc812 alexwaira alexwaira
Proscan-one Proscan-one jeroengui jeroengui AyushParkara AyushParkara marduc812 marduc812
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse High
CVE-2026-44473 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure High
CVE-2026-42296 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
vnykmshr Credited to vnykmshr, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) High
CVE-2026-33489 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) High
CVE-2026-41068 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
jrey8343 Credited to jrey8343
File Browser share links remain accessible after Share/Download permissions are revoked High
CVE-2026-35604 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
Juju has a resource poisoning vulnerability High
CVE-2025-68153 was published for github.com/juju/juju (Go) Apr 3, 2026
tlm Credited to tlm
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark High
CVE-2026-34453 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland, manizada, VladimirEliTokarev, 1seal, and bottarocarlo manizada manizada
VladimirEliTokarev VladimirEliTokarev 1seal 1seal bottarocarlo bottarocarlo
NATS allows MQTT clients to bypass ACL checks High
CVE-2026-33217 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Heimdall: Path received via Envoy gRPC corrupted when containing query string High
CVE-2026-32811 was published for github.com/dadrus/heimdall (Go) Mar 18, 2026
Kakadus Credited to Kakadus
OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream High
CVE-2026-32102 was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
kule500 Credited to kule500
Argo Workflows: WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode High
CVE-2026-31892 was published for github.com/argoproj/argo-workflows (Go) Mar 11, 2026
thevilledev Credited to thevilledev
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) High
CVE-2026-31801 was published for zotregistry.dev/zot (Go) Mar 10, 2026
1seal Credited to 1seal
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, agrawroh, and sekveaja phlax phlax
agrawroh agrawroh sekveaja sekveaja
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database