GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
486 advisories
Filter by severity
Casdoor does not validate the AudienceRestriction element in SAML assertions
Critical
CVE-2026-9093
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check
Critical
CVE-2026-9094
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
MCP Toolbox for Databases vulnerable to DNS rebinding attacks
Critical
CVE-2026-9739
was published
for
github.com/googleapis/mcp-toolbox
(Go)
May 28, 2026
KubeVirt has a Link Following vulnerability
Critical
CVE-2026-7374
was published
for
kubevirt.io/kubevirt
(Go)
May 26, 2026
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
Critical
CVE-2026-46716
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
Critical
CVE-2026-48777
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
May 22, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Critical
CVE-2026-46614
was published
for
github.com/fission/fission
(Go)
May 21, 2026
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Critical
CVE-2026-46354
was published
for
github.com/coder/coder
(Go)
May 19, 2026
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path
Critical
GHSA-g53w-w6mj-hrpp
was published
for
github.com/Kuadrant/mcp-gateway
(Go)
May 19, 2026
Kopia: RCE via SSH ProxyCommand Injection
Critical
CVE-2026-45695
was published
for
github.com/kopia/kopia
(Go)
May 19, 2026
Algernon: handler.lua discovery walks parent directories above the server root
Critical
CVE-2026-45721
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
Critical
CVE-2026-45625
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
May 18, 2026
Crabbox: environment variable exposure vulnerability
Critical
CVE-2026-8634
was published
for
github.com/openclaw/crabbox
(Go)
May 14, 2026
Portainer has an endpoint security bypass via Swarm service create/update
Critical
CVE-2026-44849
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
Portainer missing authorization on Docker plugin endpoints, which allows host RCE
Critical
CVE-2026-44848
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Critical
CVE-2026-45375
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 13, 2026
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
Critical
GHSA-vw82-7fv8-r6gp
was published
for
github.com/obot-platform/obot
(Go)
May 13, 2026
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
Critical
CVE-2026-45087
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
Critical
CVE-2026-44477
was published
for
github.com/cloudnative-pg/cloudnative-pg
(Go)
May 11, 2026
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
Critical
CVE-2026-44330
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
Critical
CVE-2026-44329
was published
for
github.com/free5gc/smf
(Go)
May 8, 2026
free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
Critical
CVE-2026-44327
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
Critical
CVE-2026-44326
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
ProTip!
Advisories are also available from the
GraphQL API