Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,599 advisories

Loading
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend High
CVE-2026-61549 was published for github.com/woodpecker-ci/woodpecker (Go) Jul 14, 2026
AnuragBathani Credited to AnuragBathani
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private` High
GHSA-7rx3-5wx3-5v76 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
adamyordan Credited to adamyordan
nebula-mesh: Certificate revocation is never enforced at the mesh High
CVE-2026-61699 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Pig-Tail Credited to Pig-Tail
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54629 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
nebula-mesh: Operator session tokens stored in plaintext in the database High
CVE-2026-53603 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths High
CVE-2026-53604 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode High
CVE-2026-54628 was published for github.com/julien040/anyquery (Go) Jul 14, 2026
Metincloup Credited to Metincloup
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware High
GHSA-mqxv-9rm6-w8qc was published for github.com/lin-snow/ech0 (Go) Jul 14, 2026
tonghuaroot Credited to tonghuaroot
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser High
CVE-2026-54448 was published for github.com/aquasecurity/trivy (Go) Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services High
GHSA-pqg7-v6wh-3pfp was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool High
CVE-2026-50158 was published for github.com/eat-pray-ai/yutu (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation High
CVE-2026-50141 was published for go.woodpecker-ci.org/woodpecker/v3 (Go) Jul 14, 2026
shivamkumarcyber Credited to shivamkumarcyber
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion High
CVE-2026-50125 was published for github.com/StacklokLabs/mkp (Go) Jul 14, 2026
EQSTLab Credited to EQSTLab
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode High
CVE-2026-50013 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection High
CVE-2026-44300 was published for github.com/opencost/opencost (Go) Jul 14, 2026
b0b0haha Credited to b0b0haha
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs High
CVE-2026-33655 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
b-hermes Credited to b-hermes
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration High
CVE-2026-55436 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
ProTip! Advisories are also available from the GraphQL API