Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,735 advisories

Loading
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression Moderate
CVE-2026-44981 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
davide-s-rosa Credited to davide-s-rosa
Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations Moderate
CVE-2026-44210 was published for github.com/kata-containers/kata-containers (Go) May 26, 2026
K-Rintaro Credited to K-Rintaro and fidencio fidencio fidencio
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, vdemeester, and waveywaves offset offset
vdemeester vdemeester waveywaves waveywaves
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and waveywaves vdemeester vdemeester
waveywaves waveywaves
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, aThorp96, and waveywaves vdemeester vdemeester
aThorp96 aThorp96 waveywaves waveywaves
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables Moderate
CVE-2026-46618 was published for github.com/fission/fission (Go) May 21, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Klever-Go KVM read-only execution can commit contract delete and upgrade side effects Moderate
CVE-2026-46403 was published for github.com/klever-io/klever-go (Go) May 21, 2026
podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints Moderate
CVE-2026-43644 was published for github.com/stefanprodan/podinfo (Go) May 14, 2026
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * Moderate
CVE-2026-46431 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint Moderate
CVE-2026-45796 was published for github.com/coder/coder (Go) May 19, 2026
bencalif Credited to bencalif
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy CVE-2026-30852 Fix Bypass Moderate
GHSA-wwhq-w58m-w29c was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
everping Credited to everping
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation Moderate
GHSA-m23h-6mwm-39m8 was published for github.com/kong/kubernetes-ingress-controller (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Kong Ingress Controller for Kubernetes (KIC): Secret-backed plugin configurations leak through non-sensitive diagnostics endpoint Moderate
GHSA-3278-c88v-xrh4 was published for github.com/kong/kubernetes-ingress-controller (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Envoy AI Proxy - MCP Message Smuggling Vulnerability Moderate
GHSA-4gph-2hhr-5mwg was published for github.com/envoyproxy/ai-gateway (Go) May 19, 2026
anaximand3r Credited to anaximand3r
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Moderate
CVE-2026-45737 was published for github.com/argoproj/argo-cd/v3 (Go) May 19, 2026
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write) Moderate
CVE-2026-45712 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs Moderate
CVE-2026-45711 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer Moderate
CVE-2026-45709 was published for github.com/axllent/mailpit (Go) May 19, 2026
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Moderate
CVE-2026-45692 was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
HashiCorp Nomad vulnerable to symlink attack Moderate
CVE-2026-6959 was published for github.com/hashicorp/nomad (Go) May 12, 2026
HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack Moderate
CVE-2026-8052 was published for github.com/hashicorp/nomad-driver-exec2 (Go) May 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database