Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

33 advisories

Loading
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Contour has Lua code injection via Cookie Path Rewrite Policy High
CVE-2026-41246 was published for github.com/projectcontour/contour (Go) Apr 24, 2026
b0b0haha Credited to b0b0haha and kodareef5 kodareef5 kodareef5
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks High
CVE-2026-40937 was published for rustfs (Rust) Apr 22, 2026
kodareef5 Credited to kodareef5
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) Moderate
CVE-2026-41240 was published for dompurify (npm) Apr 22, 2026
kodareef5 Credited to kodareef5
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and kodareef5 vdemeester vdemeester
kodareef5 kodareef5
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, and aThorp96 vdemeester vdemeester
aThorp96 aThorp96
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5 and vdemeester vdemeester vdemeester
Statamic: Unsafe method invocation via query value resolution allows data destruction High
CVE-2026-41175 was published for statamic/cms (Composer) Apr 16, 2026
joshuaalwin Credited to joshuaalwin and kodareef5 kodareef5 kodareef5
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection High
GHSA-4x48-cgf9-q33f was published for @novu/api (npm) Apr 14, 2026
kodareef5 Credited to kodareef5
Composer has a command injection via malicious perforce reference High
CVE-2026-40261 was published for composer/composer (Composer) Apr 14, 2026
kodareef5 Credited to kodareef5
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine High
CVE-2026-34984 was published for github.com/external-secrets/external-secrets (Go) Apr 13, 2026
kodareef5 Credited to kodareef5
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM Moderate
CVE-2026-40260 was published for pypdf (pip) Apr 10, 2026
kodareef5 Credited to kodareef5 and stefan6419846 stefan6419846 stefan6419846
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
Cosign's verify-blob-attestation reports false positive when payload parsing fails Moderate
CVE-2026-39395 was published for github.com/sigstore/cosign (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands High
CVE-2026-35607 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check Moderate
CVE-2026-35606 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser share links remain accessible after Share/Download permissions are revoked High
CVE-2026-35604 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching Moderate
CVE-2026-35605 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags High
GHSA-qmwh-9m9c-h36m was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
kodareef5 Credited to kodareef5
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database