Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

432 advisories

Loading
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron Critical
CVE-2026-46716 was published for github.com/nezhahq/nezha (Go) May 23, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory Critical
GHSA-qqqm-5547-774x was published for github.com/gtsteffaniak/filebrowser/backend (Go) May 22, 2026
fg0x0 Credited to fg0x0 and Revanth011 Revanth011 Revanth011
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Crabbox: environment variable exposure vulnerability Critical
CVE-2026-8634 was published for github.com/openclaw/crabbox (Go) May 14, 2026
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied, ncw, and augustocesarperin ncw ncw
augustocesarperin augustocesarperin
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft Critical
CVE-2026-46354 was published for github.com/coder/coder (Go) May 19, 2026
bencalif Credited to bencalif
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path Critical
GHSA-g53w-w6mj-hrpp was published for github.com/Kuadrant/mcp-gateway (Go) May 19, 2026
Bhuvanesh66 Credited to Bhuvanesh66
Kopia: RCE via SSH ProxyCommand Injection Critical
CVE-2026-45695 was published for github.com/kopia/kopia (Go) May 19, 2026
berardinellidaniele Credited to berardinellidaniele
Algernon: handler.lua discovery walks parent directories above the server root Critical
CVE-2026-45721 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs Critical
CVE-2026-45625 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion Critical
CVE-2026-44542 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
Yesuhei Credited to Yesuhei
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass Critical
CVE-2026-41574 was published for github.com/nhost/nhost (Go) Apr 18, 2026
skoveit Credited to skoveit
Portainer has an endpoint security bypass via Swarm service create/update Critical
CVE-2026-44849 was published for github.com/portainer/portainer (Go) May 14, 2026
JohannesLks Credited to JohannesLks and route2shell route2shell route2shell
Portainer missing authorization on Docker plugin endpoints, which allows host RCE Critical
CVE-2026-44848 was published for github.com/portainer/portainer (Go) May 14, 2026
ikkebr Credited to ikkebr
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header Critical
CVE-2026-42300 was published for github.com/l3montree-dev/devguard (Go) May 5, 2026
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server Critical
GHSA-vw82-7fv8-r6gp was published for github.com/obot-platform/obot (Go) May 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database