GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,599 advisories
Filter by severity
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
High
CVE-2026-61549
was published
for
github.com/woodpecker-ci/woodpecker
(Go)
Jul 14, 2026
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
High
GHSA-7rx3-5wx3-5v76
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Certificate revocation is never enforced at the mesh
High
CVE-2026-61699
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54629
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
nebula-mesh: Operator session tokens stored in plaintext in the database
High
CVE-2026-53603
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
High
CVE-2026-53604
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode
High
CVE-2026-54628
was published
for
github.com/julien040/anyquery
(Go)
Jul 14, 2026
Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware
High
GHSA-mqxv-9rm6-w8qc
was published
for
github.com/lin-snow/ech0
(Go)
Jul 14, 2026
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
High
CVE-2026-54448
was published
for
github.com/aquasecurity/trivy
(Go)
Jul 14, 2026
TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
High
GHSA-pqg7-v6wh-3pfp
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 14, 2026
yutu: Arbitrary File Write via MCP `caption-download` Tool
High
CVE-2026-50158
was published
for
github.com/eat-pray-ai/yutu
(Go)
Jul 14, 2026
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
High
CVE-2026-50141
was published
for
go.woodpecker-ci.org/woodpecker/v3
(Go)
Jul 14, 2026
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
High
CVE-2026-50125
was published
for
github.com/StacklokLabs/mkp
(Go)
Jul 14, 2026
Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode
High
CVE-2026-50013
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection
High
CVE-2026-44300
was published
for
github.com/opencost/opencost
(Go)
Jul 14, 2026
GoBGP: Integer underflow in the BGPUpdate.DecodeFromBytes function
High
CVE-2026-37462
was published
for
github.com/osrg/gobgp/v4
(Go)
Jun 3, 2026
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
High
CVE-2026-54063
was published
for
github.com/xuri/excelize/v2
(Go)
Jul 10, 2026
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
High
CVE-2026-54066
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS
High
CVE-2026-39829
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
High
CVE-2026-25949
was published
for
github.com/traefik/traefik/v3
(Go)
Feb 12, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
High
CVE-2026-50553
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
High
CVE-2026-50197
was published
for
github.com/zalando/skipper
(Go)
Jul 8, 2026
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
High
CVE-2025-71261
was published
for
github.com/harvester/harvester
(Go)
May 6, 2026
ProTip!
Advisories are also available from the
GraphQL API