Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,606 advisories

Loading
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate Low
CVE-2026-39388 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
GHSA-xjvp-7243-rg9h was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh, andreynering, and aymanbagabas andreynering andreynering
aymanbagabas aymanbagabas
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass Critical
GHSA-6g38-8j4p-j3pr was published for github.com/nhost/nhost (Go) Apr 18, 2026
skoveit Credited to skoveit
go-git: Credential leak via cross-host redirect in smart HTTP transport Moderate
GHSA-3xc5-wrhm-f963 was published for github.com/go-git/go-git/v5 (Go) Apr 17, 2026
N0zoM1z0 Credited to N0zoM1z0, AyushParkara, and celinke97 AyushParkara AyushParkara
celinke97 celinke97
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR High
GHSA-8gmg-3w2q-65f4 was published for go.opentelemetry.io/obi (Go) Apr 17, 2026
MrAlias Credited to MrAlias and arminru arminru arminru
Dapr: Service Invocation path traversal ACL bypass High
GHSA-85gx-3qv6-4463 was published for github.com/dapr/dapr (Go) Apr 17, 2026
JoshVanL Credited to JoshVanL, cicoyle, and acroca cicoyle cicoyle
acroca acroca
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations High
CVE-2026-5807 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service High
CVE-2026-3605 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Moderate
CVE-2026-5052 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization High
CVE-2026-4525 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
CVE-2026-41323 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) High
CVE-2026-41068 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
jrey8343 Credited to jrey8343
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider High
CVE-2026-40611 was published for github.com/go-acme/lego (Go) Apr 16, 2026
RealHurrison Credited to RealHurrison
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing High
CVE-2026-40303 was published for github.com/openziti/zrok (Go) Apr 16, 2026
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database