GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
396 advisories
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
Critical
CVE-2026-29188
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 4, 2026
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
Critical
CVE-2026-29183
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 4, 2026
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Critical
CVE-2026-28268
was published
for
code.vikunja.io/api
(Go)
Feb 28, 2026
Vitess users with backup storage access can write to arbitrary file paths on restore
Critical
CVE-2026-27969
was published
for
vitess.io/vitess
(Go)
Feb 27, 2026
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Critical
CVE-2026-27575
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Critical
CVE-2026-27626
was published
for
github.com/OliveTin/OliveTin
(Go)
Feb 25, 2026
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
Critical
GHSA-6qr9-g2xw-cw92
was published
for
github.com/dagu-org/dagu
(Go)
Feb 19, 2026
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Critical
CVE-2026-27112
was published
for
github.com/akuity/kargo
(Go)
Feb 19, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Critical
CVE-2025-66630
was published
for
github.com/gofiber/fiber/v2
(Go)
Feb 9, 2026
Gogs's update .git/config file allows remote command execution
Critical
CVE-2025-64111
was published
for
gogs.io/gogs
(Go)
Feb 6, 2026
FrankenPHP has delayed propagation of security fixes in upstream base images
Critical
GHSA-x9p2-77v6-6vhf
was published
for
github.com/dunglas/frankenphp
(Go)
Feb 5, 2026
Alist has Insecure TLS Config
Critical
CVE-2026-25160
was published
for
github.com/alist-org/alist/v3
(Go)
Feb 4, 2026
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
Critical
CVE-2026-25579
was published
for
github.com/navidrome/navidrome
(Go)
Feb 4, 2026
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
Critical
CVE-2026-25539
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 29, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Critical
CVE-2026-22039
was published
for
github.com/kyverno/kyverno
(Go)
Jan 27, 2026
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Critical
CVE-2026-23518
was published
for
github.com/fleetdm/fleet
(Go)
Jan 20, 2026
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Critical
CVE-2026-22822
was published
for
github.com/external-secrets/external-secrets
(Go)
Jan 20, 2026
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE
Critical
CVE-2026-23520
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
Jan 15, 2026
WeKnora has Command Injection in MCP stdio test
Critical
CVE-2026-22688
was published
for
github.com/Tencent/WeKnora
(Go)
Jan 9, 2026
ProTip!
Advisories are also available from the
GraphQL API