Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

333 advisories

Loading
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a resource leak in LRU cache Low
GHSA-3g4q-2f67-2gvh was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
Cilium node based network policies may incorrectly allow workload traffic Low
CVE-2025-30163 was published for github.com/cilium/cilium (Go) Mar 24, 2025
oblazek Credited to oblazek and westonsteimel westonsteimel westonsteimel
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
SFTPGo has stored XSS via inline parameter on public shares and user file download Low
CVE-2026-49245 was published for github.com/drakkan/sftpgo/v2 (Go) Jul 2, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens Low
CVE-2026-48978 was published for oras.land/oras-go (Go) Jul 1, 2026
1seal Credited to 1seal
Concourse login flow has an open redirect issue Low
CVE-2026-49826 was published for github.com/concourse/concourse (Go) Jul 1, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries Low
GHSA-6c87-g9pw-78fx was published for github.com/edgelesssys/contrast (Go) Jul 1, 2026
offset Credited to offset
omec-project amf Vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer Low
CVE-2026-9299 was published for github.com/omec-project/amf (Go) May 26, 2026
omec-project amf Vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer Low
CVE-2026-9301 was published for github.com/omec-project/amf (Go) May 26, 2026
omec-project amf Vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer Low
CVE-2026-9300 was published for github.com/omec-project/amf (Go) May 26, 2026
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
Authelia Missing Username Canonicalization in Basic Auth (LDAP) Low
CVE-2026-47203 was published for github.com/authelia/authelia/v4 (Go) May 29, 2026
Nadav0077 Credited to Nadav0077, james-d-elliott, nightah, and Crowley723 james-d-elliott james-d-elliott
nightah nightah Crowley723 Crowley723
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction Low
GHSA-v2jf-442r-6mjh was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
lxd has a restricted TLS certificate privilege escalation when in PKI mode Low
CVE-2024-6219 was published for github.com/canonical/lxd (Go) Dec 9, 2024
markylaing Credited to markylaing and cookesan cookesan cookesan
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration Low
CVE-2026-48709 was published for github.com/OliveTin/OliveTin (Go) Jun 24, 2026
offset Credited to offset
SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected Low
CVE-2026-55866 was published for github.com/authzed/spicedb (Go) Jun 19, 2026
ivanauth Credited to ivanauth and miparnisari miparnisari miparnisari
Gogs has DoS in rendering issue index pattern Low
CVE-2026-52796 was published for gogs.io/gogs (Go) Jun 22, 2026
BaiMeow Credited to BaiMeow
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected) Low
CVE-2026-44778 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Jun 22, 2026
OpenBao's System Backend allows Unauthorized Management of the containing Namespace Low
CVE-2026-55775 was published for github.com/openbao/openbao (Go) Jun 19, 2026
satoqz Credited to satoqz
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808 Low
CVE-2026-55774 was published for github.com/openbao/openbao (Go) Jun 19, 2026
anir0y Credited to anir0y and 5ud0er 5ud0er 5ud0er
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
ProTip! Advisories are also available from the GraphQL API