Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,984
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,473 advisories

Loading
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion High
CVE-2026-47253 was published for github.com/julien040/anyquery (Go) Jun 10, 2026
232-323 Credited to 232-323
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
Dex: Token-exchange endpoint is missing AllowedConnectors enforcement High
GHSA-7qjx-gp9h-65qj was published for github.com/dexidp/dex (Go) Jun 9, 2026
matte1782 Credited to matte1782
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks High
CVE-2026-47735 was published for github.com/basekick-labs/arc (Go) Jun 8, 2026
NeuroWinter Credited to NeuroWinter
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator High
CVE-2026-47726 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints High
CVE-2026-47725 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.) High
CVE-2026-47723 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml High
CVE-2026-47722 was published for github.com/juev/nebula-mesh (Go) Jun 8, 2026
ak2k Credited to ak2k
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt High
CVE-2026-52878 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
ch4r0utf8 Credited to ch4r0utf8
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
CVE-2026-52880 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
CVE-2026-52879 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
Klever-Go KVM: Hash-array amplification in P2P resolver request handling High
CVE-2026-47249 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
leduckhuong Credited to leduckhuong
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService High
CVE-2026-45726 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token High
CVE-2026-45720 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS) High
GHSA-74m6-4hjp-7226 was published for github.com/klever-io/klever-go (Go) Jun 4, 2026
LoG1331 Credited to LoG1331
Nuclio: Missing authorization on project write paths allows any authenticated user to modify or delete any project High
CVE-2026-45730 was published for github.com/nuclio/nuclio (Go) Jun 4, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Nezha's authenticated agents can forge service-monitor results for other users' services High
CVE-2026-48119 was published for github.com/nezhahq/nezha (Go) Jun 1, 2026
sondt99 Credited to sondt99
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user High
CVE-2026-47201 was published for goauthentik.io (Go) May 29, 2026
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling High
CVE-2026-45742 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
uokik Credited to uokik
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename High
CVE-2026-44829 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands High
CVE-2026-48501 was published for github.com/cli/cli/v2 (Go) May 29, 2026
BagToad Credited to BagToad, kommendorkapten, babakks, and nophlyzone kommendorkapten kommendorkapten
babakks babakks nophlyzone nophlyzone
Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives High
CVE-2026-47179 was published for github.com/getarcaneapp/arcane/backend (Go) May 28, 2026
offset Credited to offset
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL High
CVE-2026-45808 was published for github.com/openbao/openbao (Go) May 28, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database