GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,316 advisories
Filter by severity
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
High
CVE-2026-61549
was published
for
github.com/woodpecker-ci/woodpecker
(Go)
Jul 14, 2026
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
High
GHSA-7rx3-5wx3-5v76
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Certificate revocation is never enforced at the mesh
High
CVE-2026-61699
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
Moderate
CVE-2026-55513
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting
Moderate
CVE-2026-55512
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54629
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
nebula-mesh: Operator session tokens stored in plaintext in the database
High
CVE-2026-53603
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
High
CVE-2026-53604
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54628
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
High
GHSA-mqxv-9rm6-w8qc
was published
for
github.com/lin-snow/ech0
(Go)
Jul 14, 2026
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
High
CVE-2026-54448
was published
for
github.com/aquasecurity/trivy
(Go)
Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
High
GHSA-pqg7-v6wh-3pfp
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool
High
CVE-2026-50158
was published
for
github.com/eat-pray-ai/yutu
(Go)
Jul 14, 2026
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Critical
CVE-2026-50006
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions
Moderate
CVE-2026-50018
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Moderate
CVE-2026-54250
was published
for
github.com/k3s-io/k3s
(Go)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
ProTip!
Advisories are also available from the
GraphQL API