Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,443 advisories

Loading
Kata guest escape: runtime-rs guest-root to host-root escape via virtiofs High
CVE-2026-47243 was published for github.com/kata-containers/kata-containers (Go) May 27, 2026
JulesDT Credited to JulesDT, sprt, fidencio, and stevenhorsman sprt sprt
fidencio fidencio stevenhorsman stevenhorsman
CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests High
CVE-2026-44982 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
mmarting Credited to mmarting
Arcane: Missing admin authorization on global variables endpoint High
CVE-2026-47125 was published for github.com/getarcaneapp/arcane/backend (Go) May 23, 2026
offset Credited to offset
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
containerd user ID handling bypass allows runAsNonRoot evasion High
CVE-2026-46680 was published for github.com/containerd/containerd (Go) May 21, 2026
ssst0n3 Credited to ssst0n3
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read High
CVE-2026-46617 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives High
CVE-2026-46612 was published for github.com/fission/fission (Go) May 21, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Caddy Defender trusted proxy client IP bypass High
CVE-2026-46415 was published for pkg.jsn.cam/caddy-defender (Go) May 19, 2026
JasonLovesDoggo Credited to JasonLovesDoggo
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal High
CVE-2026-46378 was published for github.com/tomwright/dasel/v3 (Go) May 19, 2026
kq5y Credited to kq5y
Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string High
CVE-2026-46377 was published for github.com/tomwright/dasel/v3 (Go) May 19, 2026
kq5y Credited to kq5y
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation High
CVE-2026-45738 was published for github.com/argoproj/argo-cd (Go) May 19, 2026
kah-ja Credited to kah-ja
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
zrok copy writes attacker-controlled WebDAV paths outside the destination root High
CVE-2026-45576 was published for github.com/openziti/zrok (Go) May 19, 2026
aisafe-bot Credited to aisafe-bot
Algernon: Single-file mode unconditionally enables debug mode High
CVE-2026-45728 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI High
CVE-2026-45686 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages High
CVE-2026-45685 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads High
CVE-2026-45678 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias, grcevski, and rafaelroquetto grcevski grcevski
rafaelroquetto rafaelroquetto
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
Docker: `PUT /containers/{id}/archive` executes container binary on the host High
CVE-2026-41567 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection High
CVE-2026-45327 was published for github.com/DatanoiseTV/tinyice (Go) May 18, 2026
Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy) High
CVE-2026-45298 was published for github.com/amir20/dozzle (Go) May 18, 2026
iskorotkov/avro: CPU Exhaustion in Decoder High
CVE-2026-46385 was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
iskorotkov/avro: Integer Overflow in Decoder High
CVE-2026-46384 was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover High
CVE-2026-45627 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database