Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

255 advisories

Loading
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber Low
CVE-2026-34762 was published for github.com/ellanetworks/core (Go) Apr 1, 2026
offset Credited to offset
Temporal Server: attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster Low
CVE-2026-5199 was published for go.temporal.io/server (Go) Apr 1, 2026
go-git missing validation decoding Index v4 files leads to panic Low
CVE-2026-33762 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE Low
CVE-2026-33529 was published for github.com/tobychui/zoraxy (Go) Mar 25, 2026
JakePeralta7 Credited to JakePeralta7
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting Low
CVE-2026-33525 was published for github.com/authelia/authelia/v4 (Go) Mar 24, 2026
etcd: Nested etcd transactions bypass RBAC authorization checks Low
CVE-2026-33343 was published for go.etcd.io/etcd (Go) Mar 20, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
Mattermost fails to validate user's authentication method when processing account auth type switch Low
CVE-2026-22545 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning Low
GHSA-q926-c743-49qj was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
Anytype Heart's gRPC API client challenge verification can be bypassed on localhost Low
CVE-2026-31863 was published for github.com/anyproto/anytype-cli (Go) Mar 11, 2026
Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers Low
CVE-2026-29781 was published for github.com/bishopfox/sliver (Go) Mar 5, 2026
skoveit Credited to skoveit
ZITADEL has potential SSRF via Actions Low
CVE-2026-27945 was published for github.com/zitadel/zitadel/v2 (Go) Feb 27, 2026
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
CIRCL has an incorrect calculation in secp384r1 CombinedMult Low
CVE-2026-1229 was published for github.com/cloudflare/circl (Go) Feb 25, 2026
guidovranken Credited to guidovranken
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field Low
CVE-2026-24005 was published for github.com/openkruise/kruise (Go) Feb 25, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal Credited to 1seal
filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity Low
CVE-2026-26958 was published for filippo.io/edwards25519 (Go) Feb 18, 2026
WeebDataHoarder Credited to WeebDataHoarder and shaharcohen1 shaharcohen1 shaharcohen1
uTLS has a fingerprint vulnerability from missing padding extension for Chrome 120 Low
CVE-2026-26995 was published for github.com/refraction-networking/utls (Go) Feb 18, 2026
uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots Low
CVE-2026-27017 was published for github.com/refraction-networking/utls (Go) Feb 18, 2026
Mattermost fails to enforce invite permissions when updating team settings Low
CVE-2025-14573 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost doesn't properly validate channel membership at the time of data retrieval Low
CVE-2026-20796 was published for github.com/mattermost/mattermost-server (Go) Feb 13, 2026
NeuVector scanner insecurely handles passwords as command arguments Low
CVE-2025-67860 was published for github.com/neuvector/scanner (Go) Feb 12, 2026
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal Credited to 1seal
ingress-nginx has Improper Check for Unusual or Exceptional Conditions Low
CVE-2026-24513 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database