Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

7 advisories

Loading
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and kodareef5 vdemeester vdemeester
kodareef5 kodareef5
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset and vdemeester vdemeester vdemeester
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, and aThorp96 vdemeester vdemeester
aThorp96 aThorp96
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5 and vdemeester vdemeester vdemeester
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod Critical
CVE-2026-33211 was published for github.com/tektoncd/pipeline (Go) Mar 18, 2026
1seal Credited to 1seal, vdemeester, afrittoli, and KoreaSecurity vdemeester vdemeester
afrittoli afrittoli KoreaSecurity KoreaSecurity
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun Moderate
CVE-2026-33022 was published for github.com/tektoncd/pipeline (Go) Mar 17, 2026
1seal Credited to 1seal, vdemeester, and afrittoli vdemeester vdemeester
afrittoli afrittoli
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database