Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

61 advisories

Loading
melange has Path Traversal via .PKGINFO in --persist-lint-results Moderate
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses Moderate
CVE-2026-29050 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies Moderate
CVE-2026-40182 was published for OpenTelemetry.Exporter.OpenTelemetryProtocol (NuGet) Apr 23, 2026
martincostello Credited to martincostello, 1seal, Kielek, and arminru 1seal 1seal
Kielek Kielek arminru arminru
nimiq-blockchain: Peer-triggerable panic during history sync Moderate
CVE-2026-34066 was published for nimiq-blockchain (Rust) Apr 22, 2026
1seal Credited to 1seal and ii-cruz ii-cruz ii-cruz
nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge Moderate
CVE-2026-34068 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals High
CVE-2026-34065 was published for nimiq-primitives (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-account: Vesting insufficient funds error can panic Moderate
CVE-2026-34064 was published for nimiq-account (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation Critical
CVE-2026-33471 was published for nimiq-block (Rust) Apr 22, 2026
1seal Credited to 1seal
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
webpki: Name constraints were accepted for certificates asserting a wildcard name Low
GHSA-xgp8-3hg3-c2mh was published for rustls-webpki (Rust) Apr 16, 2026
1seal Credited to 1seal
webpki: Name constraints for URI names were incorrectly accepted Low
GHSA-965h-392x-2mh5 was published for rustls-webpki (Rust) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen Critical
GHSA-hm2w-vr2p-hq7w was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable Critical
GHSA-2689-5p89-6j3j was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
nimiq-consensus panics via RequestMacroChain micro-block locator Moderate
CVE-2026-34069 was published for nimiq-consensus (Rust) Apr 13, 2026
jsdanielh Credited to jsdanielh and 1seal 1seal 1seal
Step CA affected by an index out of bounds panic in TPM attestation EKU validation Low
CVE-2026-40097 was published for github.com/smallstep/certificates (Go) Apr 10, 2026
1seal Credited to 1seal
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment Moderate
CVE-2026-35206 was published for helm.sh/helm/v3 (Go) Apr 10, 2026
1seal Credited to 1seal
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies Moderate
CVE-2026-39882 was published for go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp (Go) Apr 8, 2026
1seal Credited to 1seal and pellared pellared pellared
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) High
CVE-2026-29181 was published for go.opentelemetry.io/otel (Go) Apr 7, 2026
1seal Credited to 1seal, XSAM, and Ankush-Pathak XSAM XSAM
Ankush-Pathak Ankush-Pathak
Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation High
CVE-2026-35172 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm High
CVE-2026-33540 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
cryptography has incomplete DNS name constraint enforcement on peer names Low
CVE-2026-34073 was published for cryptography (pip) Mar 27, 2026
1seal Credited to 1seal and woodruffw woodruffw woodruffw
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland, manizada, VladimirEliTokarev, and 1seal manizada manizada
VladimirEliTokarev VladimirEliTokarev 1seal 1seal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database