Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,898 advisories

Loading
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens Moderate
CVE-2026-55513 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting Moderate
CVE-2026-55512 was published for github.com/forgekeep/nebula-mesh (Go) Jul 14, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions Moderate
CVE-2026-50018 was published for github.com/SpectoLabs/hoverfly (Go) Jul 14, 2026
Kr1shna4garwal Credited to Kr1shna4garwal
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression Moderate
CVE-2026-54250 was published for github.com/k3s-io/k3s (Go) Jul 14, 2026
f1veT Credited to f1veT
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow Moderate
CVE-2026-39835 was published for golang.org/x/crypto (Go) Jun 25, 2026
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions Moderate
CVE-2026-39828 was published for golang.org/x/crypto (Go) Jun 25, 2026
GoBGP confederation validation panics on empty AS_PATH attribute Moderate
CVE-2026-49838 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
acorn421 Credited to acorn421 and hibrian827 hibrian827 hibrian827
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Moderate
CVE-2026-49837 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
leo123-all Credited to leo123-all
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
GoClaw has a Command Injection issue Moderate
CVE-2026-10219 was published for github.com/nextlevelbuilder/goclaw (Go) Jun 1, 2026
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Moderate
CVE-2026-50554 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
Yunkaiwjs Credited to Yunkaiwjs and enchant97 enchant97 enchant97
Casdoor: Arbitrary file write possible through Local File System storage provider Moderate
CVE-2026-6815 was published for github.com/casdoor/casdoor (Go) May 11, 2026
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
CVE-2026-54685 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
Claircore: Unauthenticated attackers can submit manifests with URIs pointing to internal services or cloud metadata endpoints Moderate
CVE-2026-10517 was published for github.com/quay/claircore (Go) Jun 1, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping Moderate
CVE-2026-53572 was published for github.com/kedacore/keda/v2 (Go) Jul 7, 2026
mert2m Credited to mert2m
Kite has an authenticated cluster RBAC bypass in /api/v1/overview Moderate
CVE-2026-53487 was published for github.com/zxh326/kite (Go) Jul 7, 2026
DavidCarliez Credited to DavidCarliez
Suspended Coder users retain access to AI Bridge LLM proxy endpoints Moderate
CVE-2026-55435 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints Moderate
CVE-2026-55434 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
netfoil has a domain name filter bypass via multiple questions Moderate
GHSA-59qp-cfj3-rp64 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
golang.org/x/crypto: Invoking pathological inputs can lead to client panic Moderate
CVE-2026-46598 was published for golang.org/x/crypto (Go) Jun 25, 2026
golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS Moderate
CVE-2026-39827 was published for golang.org/x/crypto (Go) Jun 25, 2026
ProTip! Advisories are also available from the GraphQL API