GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,599 advisories
Filter by severity
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
High
CVE-2026-61549
was published
for
github.com/woodpecker-ci/woodpecker
(Go)
Jul 14, 2026
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
High
GHSA-7rx3-5wx3-5v76
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Certificate revocation is never enforced at the mesh
High
CVE-2026-61699
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54629
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
nebula-mesh: Operator session tokens stored in plaintext in the database
High
CVE-2026-53603
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
High
CVE-2026-53604
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54628
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
High
GHSA-mqxv-9rm6-w8qc
was published
for
github.com/lin-snow/ech0
(Go)
Jul 14, 2026
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
High
CVE-2026-54448
was published
for
github.com/aquasecurity/trivy
(Go)
Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
High
GHSA-pqg7-v6wh-3pfp
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool
High
CVE-2026-50158
was published
for
github.com/eat-pray-ai/yutu
(Go)
Jul 14, 2026
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
High
CVE-2026-54063
was published
for
github.com/xuri/excelize/v2
(Go)
Jul 10, 2026
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
High
CVE-2026-54066
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
High
CVE-2026-50553
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
High
CVE-2026-50197
was published
for
github.com/zalando/skipper
(Go)
Jul 8, 2026
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
High
CVE-2026-53553
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
High
CVE-2026-33655
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
High
CVE-2026-55436
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
ProTip!
Advisories are also available from the
GraphQL API