GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,599 advisories
Filter by severity
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
High
CVE-2026-55431
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
High
CVE-2026-55428
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
High
CVE-2026-55429
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
High
CVE-2026-55427
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: User-admin role can reset owner account password
High
CVE-2026-55077
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
High
CVE-2026-55075
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
High
CVE-2026-55076
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression
High
CVE-2026-46599
was published
for
golang.org/x/image
(Go)
Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
High
CVE-2026-52792
was published
for
github.com/xyproto/algernon
(Go)
Jul 2, 2026
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
High
CVE-2026-44454
was published
for
github.com/coder/coder
(Go)
Jul 2, 2026
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
High
CVE-2026-50138
was published
for
goshs.de/goshs/v2
(Go)
Jul 1, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider
High
CVE-2026-41053
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
High
CVE-2026-44938
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
High
CVE-2026-49998
was published
for
github.com/centrifugal/centrifugo
(Go)
Jul 1, 2026
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
High
CVE-2026-49478
was published
for
github.com/sigstore/fulcio
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
High
CVE-2026-49822
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
High
CVE-2026-49821
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec
High
GHSA-7m8x-qg2j-4m3v
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Kahi has privilege-drop and socket/log permission issues
High
GHSA-55f6-4pr5-c7m5
was published
for
github.com/kahiteam/kahi
(Go)
Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
High
CVE-2026-44840
was published
for
github.com/dgraph-io/dgraph/v25
(Go)
Jun 29, 2026
ProTip!
Advisories are also available from the
GraphQL API