Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,983
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

3,983 advisories

Loading
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Moderate
CVE-2026-47753 was published for github.com/lxc/incus/v7 (Go) Jun 10, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
nebula-mesh: Session and OIDC state cookies lack the Secure attribute Moderate
CVE-2026-48058 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
nebula-mesh: Decrypted CA private key persists in heap after signing Moderate
CVE-2026-48025 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion High
CVE-2026-47253 was published for github.com/julien040/anyquery (Go) Jun 10, 2026
232-323 Credited to 232-323
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery Critical
CVE-2026-48031 was published for github.com/dhax/go-base (Go) Jun 10, 2026
saaa99999999 Credited to saaa99999999
Dex: Token-exchange endpoint is missing AllowedConnectors enforcement High
GHSA-7qjx-gp9h-65qj was published for github.com/dexidp/dex (Go) Jun 9, 2026
matte1782 Credited to matte1782
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks High
CVE-2026-47735 was published for github.com/basekick-labs/arc (Go) Jun 8, 2026
NeuroWinter Credited to NeuroWinter
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator High
CVE-2026-47726 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints High
CVE-2026-47725 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation Critical
CVE-2026-47724 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.) High
CVE-2026-47723 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml High
CVE-2026-47722 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin Critical
CVE-2026-47252 was published for github.com/julien040/anyquery/plugins/brave (Go) Jun 8, 2026
232-323 Credited to 232-323
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt High
CVE-2026-52878 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
ch4r0utf8 Credited to ch4r0utf8
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
CVE-2026-52880 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
CVE-2026-52879 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS Moderate
CVE-2026-49343 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
maiiquynhh Credited to maiiquynhh
Source controller: Improper path handling allows traversal Moderate
CVE-2026-47680 was published for github.com/fluxcd/source-controller (Go) Jun 5, 2026
hiddeco Credited to hiddeco
Klever-Go KVM: Hash-array amplification in P2P resolver request handling High
CVE-2026-47249 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
leduckhuong Credited to leduckhuong
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService High
CVE-2026-45726 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic Low
CVE-2026-45723 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token High
CVE-2026-45720 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database