Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

486 advisories

Loading
free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions Critical
CVE-2026-44315 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
amwhoi Credited to amwhoi
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
amwhoi Credited to amwhoi
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery Critical
CVE-2026-44523 was published for github.com/enchant97/note-mark/backend (Go) May 7, 2026
osageling Credited to osageling and enchant97 enchant97 enchant97
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion Critical
CVE-2026-44542 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
Yesuhei Credited to Yesuhei
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore Critical
CVE-2026-42238 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
captain99hook Credited to captain99hook
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header Critical
CVE-2026-42300 was published for github.com/l3montree-dev/devguard (Go) May 5, 2026
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
bbockelm Credited to bbockelm, brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson brianaydemir brianaydemir
jhiemstrawisc jhiemstrawisc matyasselmeci matyasselmeci williamnswanson williamnswanson
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation Critical
CVE-2026-42560 was published for github.com/go-pkgz/auth (Go) Apr 30, 2026
Nadav0077 Credited to Nadav0077
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) Critical
CVE-2026-40281 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Netmaker does not verify JWT signatures for host tokens Critical
CVE-2026-38651 was published for github.com/gravitl/netmaker (Go) Apr 28, 2026
rvzsec Credited to rvzsec
Note Mark: OIDC-registered users authenticated by submitting password "null" Critical
CVE-2026-41571 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
go-zserio has Unbounded Memory Allocation for All Platforms Critical
GHSA-xhj4-g6w8-2xjw was published for github.com/woven-planet/go-zserio (Go) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Critical
CVE-2026-41328 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field Critical
CVE-2026-41327 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function Critical
CVE-2026-39087 was published for heckel.io/ntfy/v2 (Go) Apr 23, 2026
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
CVE-2026-42072 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied, ncw, and augustocesarperin ncw ncw
augustocesarperin augustocesarperin
ProTip! Advisories are also available from the GraphQL API