Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,599 advisories

Loading
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token High
CVE-2026-6290 was published for www.velocidex.com/golang/velociraptor (Go) Apr 15, 2026
NietThijmen ShoppingCart: Command injection in the connect function High
CVE-2024-53412 was published for github.com/NietThijmen/ShoppingCart (Go) Apr 15, 2026
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
CVE-2026-41145 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control Moderate
CVE-2026-40910 was published for github.com/fatedier/frp (Go) Apr 14, 2026
0wnerDied Credited to 0wnerDied
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
CVE-2026-40944 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia affected by server crash via race condition in session heartbeat handling High
CVE-2026-40943 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia has an OIDC token audience validation bypass via SkipClientIDCheck Critical
CVE-2026-40946 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia exposes bearer token in debug log messages on authentication failure High
CVE-2026-40945 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
SiYuan has incomplete fix for CVE-2026-33066: XSS Moderate
CVE-2026-40922 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 14, 2026
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint Low
GHSA-7qx6-f23w-3w7f was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
wooseokdotkim Credited to wooseokdotkim
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer High
CVE-2026-40890 was published for github.com/gomarkdown/markdown (Go) Apr 14, 2026
JulesDT Credited to JulesDT
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access High
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
iggypopi Credited to iggypopi and stepanskyigor-orca stepanskyigor-orca stepanskyigor-orca
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
miparnisari Credited to miparnisari
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write High
CVE-2026-40090 was published for github.com/zarf-dev/zarf (Go) Apr 14, 2026
joonas Credited to joonas
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode Critical
CVE-2026-34457 was published for github.com/oauth2-proxy/oauth2-proxy (Go) Apr 14, 2026
iamnoooob Credited to iamnoooob
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page Low
CVE-2026-34454 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 14, 2026
bella-WI Credited to bella-WI and fnoehWM fnoehWM fnoehWM
PowerShell Command Injection in Podman HyperV Machine Moderate
CVE-2026-33414 was published for github.com/containers/podman/v4 (Go) Apr 14, 2026
KoreaSecurity Credited to KoreaSecurity
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access High
CVE-2026-40885 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation Moderate
CVE-2026-40883 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
goshs has an empty-username SFTP password authentication bypass Critical
CVE-2026-40884 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
SFTP root escape via prefix-based path validation in goshs High
CVE-2026-40876 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database