Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,316 advisories

Loading
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend High
CVE-2026-61549 was published for github.com/woodpecker-ci/woodpecker (Go) Jul 14, 2026
AnuragBathani Credited to AnuragBathani
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private` High
GHSA-7rx3-5wx3-5v76 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
adamyordan Credited to adamyordan
nebula-mesh: Certificate revocation is never enforced at the mesh High
CVE-2026-61699 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Pig-Tail Credited to Pig-Tail
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens Moderate
CVE-2026-55513 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting Moderate
CVE-2026-55512 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
nebula-mesh: Operator session tokens stored in plaintext in the database High
CVE-2026-53603 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths High
CVE-2026-53604 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54628 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware High
GHSA-mqxv-9rm6-w8qc was published for github.com/lin-snow/ech0 (Go) Jul 14, 2026
tonghuaroot Credited to tonghuaroot
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser High
CVE-2026-54448 was published for github.com/aquasecurity/trivy (Go) Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services High
GHSA-pqg7-v6wh-3pfp was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool High
CVE-2026-50158 was published for github.com/eat-pray-ai/yutu (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation High
CVE-2026-50141 was published for go.woodpecker-ci.org/woodpecker/v3 (Go) Jul 14, 2026
shivamkumarcyber Credited to shivamkumarcyber
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode Critical
CVE-2026-50006 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion High
CVE-2026-50125 was published for github.com/StacklokLabs/mkp (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions Moderate
CVE-2026-50018 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode High
CVE-2026-50013 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression Moderate
CVE-2026-54250 was published for github.com/k3s-io/k3s (Go) Jul 14, 2026
f1veT Credited to f1veT
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection High
CVE-2026-44300 was published for github.com/opencost/opencost (Go) Jul 14, 2026
b0b0haha Credited to b0b0haha
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content Critical
CVE-2026-50551 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
Yunkaiwjs Credited to Yunkaiwjs
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() Critical
CVE-2026-54158 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
ProTip! Advisories are also available from the GraphQL API