GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,898 advisories
Filter by severity
nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens
Moderate
CVE-2026-55513
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting
Moderate
CVE-2026-55512
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 14, 2026
Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions
Moderate
CVE-2026-50018
was published
for
github.com/SpectoLabs/hoverfly
(Go)
Jul 14, 2026
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Moderate
CVE-2026-54250
was published
for
github.com/k3s-io/k3s
(Go)
Jul 14, 2026
golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
Moderate
CVE-2026-39835
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
Moderate
CVE-2026-39828
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
GoBGP confederation validation panics on empty AS_PATH attribute
Moderate
CVE-2026-49838
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries
Moderate
CVE-2026-49837
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
OpenRun: Redirect URL validation bypass using //host paths leads to Open Redirect
Moderate
CVE-2026-55252
was published
for
github.com/openrundev/openrun
(Go)
Jul 9, 2026
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
Moderate
CVE-2026-53602
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 9, 2026
GoClaw has a Command Injection issue
Moderate
CVE-2026-10219
was published
for
github.com/nextlevelbuilder/goclaw
(Go)
Jun 1, 2026
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
Moderate
CVE-2026-50554
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Casdoor: Arbitrary file write possible through Local File System storage provider
Moderate
CVE-2026-6815
was published
for
github.com/casdoor/casdoor
(Go)
May 11, 2026
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Moderate
CVE-2026-54685
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Mar 24, 2026
Claircore: Unauthenticated attackers can submit manifests with URIs pointing to internal services or cloud metadata endpoints
Moderate
CVE-2026-10517
was published
for
github.com/quay/claircore
(Go)
Jun 1, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Moderate
CVE-2026-53508
was published
for
github.com/oasdiff/oasdiff
(Go)
Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Moderate
CVE-2026-53572
was published
for
github.com/kedacore/keda/v2
(Go)
Jul 7, 2026
Kite has an authenticated cluster RBAC bypass in /api/v1/overview
Moderate
CVE-2026-53487
was published
for
github.com/zxh326/kite
(Go)
Jul 7, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Moderate
CVE-2026-55435
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Moderate
CVE-2026-55434
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
netfoil has a domain name filter bypass via multiple questions
Moderate
GHSA-59qp-cfj3-rp64
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
golang.org/x/crypto: Invoking pathological inputs can lead to client panic
Moderate
CVE-2026-46598
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS
Moderate
CVE-2026-39827
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
ProTip!
Advisories are also available from the
GraphQL API