Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,599 advisories

Loading
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps High
CVE-2026-55431 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator High
CVE-2026-55428 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID High
CVE-2026-55429 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` High
CVE-2026-55427 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: User-admin role can reset owner account password High
CVE-2026-55077 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass High
CVE-2026-55075 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking High
CVE-2026-55076 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression High
CVE-2026-46599 was published for golang.org/x/image (Go) Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename High
CVE-2026-52792 was published for github.com/xyproto/algernon (Go) Jul 2, 2026
Dredsen Credited to Dredsen
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent High
CVE-2026-44454 was published for github.com/coder/coder (Go) Jul 2, 2026
avivdon Credited to avivdon
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags High
CVE-2026-50138 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
Rancher has over-inclusive team membership expansion in GitHub App authentication provider High
CVE-2026-41053 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent High
CVE-2026-44938 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage High
CVE-2026-49478 was published for github.com/sigstore/fulcio (Go) Jun 30, 2026
bugbunny-research Credited to bugbunny-research
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook High
CVE-2026-49824 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook High
CVE-2026-49823 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance High
CVE-2026-49822 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration High
CVE-2026-49821 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Kahi has privilege-drop and socket/log permission issues High
GHSA-55f6-4pr5-c7m5 was published for github.com/kahiteam/kahi (Go) Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query High
CVE-2026-44840 was published for github.com/dgraph-io/dgraph/v25 (Go) Jun 29, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API