GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
333 advisories
Filter by severity
bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function
Low
CVE-2026-8275
was published
for
github.com/bettercap/bettercap/v2
(Go)
May 11, 2026
nhost has Session Persistence After Password Change
Low
GHSA-7hgr-xvrr-xpw3
was published
for
github.com/nhost/nhost
(Go)
May 8, 2026
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience
Low
CVE-2026-44428
was published
for
github.com/modelcontextprotocol/registry
(Go)
May 8, 2026
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests
Low
CVE-2026-44283
was published
for
go.etcd.io/etcd
(Go)
May 7, 2026
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover
Low
CVE-2026-42082
was published
for
github.com/free5gc/amf
(Go)
May 7, 2026
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency
Low
GHSA-2ccx-cjjh-r2j8
was published
for
github.com/bluenviron/mediamtx
(Go)
May 6, 2026
OpenBao's Namespace Deletion May Not Delete Data Properly
Low
CVE-2026-42186
was published
for
github.com/openbao/openbao
(Go)
May 5, 2026
Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
Low
CVE-2026-42183
was published
for
github.com/argoproj/argo-workflows/v4
(Go)
May 4, 2026
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots
Low
CVE-2026-40243
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
ydb-go-sdk's transactions are not committed using the `options.WithCommit()` option on last call `table.Transaction.Execute` in transaction
Low
GHSA-28xx-pppm-vqff
was published
for
github.com/ydb-platform/ydb-go-sdk/v3
(Go)
Apr 30, 2026
Ollama is Vulnerable to Path Traversal
Low
CVE-2026-7020
was published
for
github.com/ollama/ollama
(Go)
Apr 26, 2026
melange has Path Traversal via .PKGINFO in --persist-lint-results
Low
CVE-2026-29051
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
pgx: SQL Injection via placeholder confusion with dollar quoted string literals
Low
CVE-2026-41889
was published
for
github.com/jackc/pgx
(Go)
Apr 22, 2026
OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
Low
CVE-2026-40264
was published
for
github.com/openbao/openbao
(Go)
Apr 21, 2026
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)
Low
CVE-2026-39396
was published
for
github.com/openbao/openbao
(Go)
Apr 21, 2026
OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate
Low
CVE-2026-39388
was published
for
github.com/openbao/openbao
(Go)
Apr 21, 2026
Memos has an Incorrect Privilege Assignment issue
Low
CVE-2026-6634
was published
for
github.com/usememos/memos
(Go)
Apr 20, 2026
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
Low
CVE-2026-27769
was published
for
github.com/mattermost/mattermost-server
(Go)
Apr 17, 2026
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
Low
GHSA-hw5x-4r37-72w7
was published
for
github.com/opentofu/opentofu
(Go)
Apr 14, 2026
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint
Low
GHSA-7qx6-f23w-3w7f
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
Low
CVE-2026-34454
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 14, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Low
CVE-2026-40263
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Low
CVE-2026-40109
was published
for
github.com/fluxcd/notification-controller
(Go)
Apr 10, 2026
Step CA affected by an index out of bounds panic in TPM attestation EKU validation
Low
CVE-2026-40097
was published
for
github.com/smallstep/certificates
(Go)
Apr 10, 2026
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Low
CVE-2026-40077
was published
for
github.com/henrygd/beszel
(Go)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API