Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,617 advisories

Loading
gitverify has improper tag signature verification Moderate
GHSA-h829-5cg7-6hff was published for github.com/supply-chain-tools/gitverify (Go) Apr 24, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate
CVE-2026-41174 was published for github.com/traefik/traefik (Go) Apr 24, 2026
tamemghq Credited to tamemghq
melange has Path Traversal via .PKGINFO in --persist-lint-results Moderate
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses Moderate
CVE-2026-29050 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
go-ntlmssp NTLM challenges can panic on malformed payloads Moderate
CVE-2026-32952 was published for github.com/Azure/go-ntlmssp (Go) Apr 23, 2026
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer Moderate
CVE-2026-41136 was published for github.com/free5gc/amf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
DDEV has ZipSlip path traversal in tar and zip archive extraction Moderate
CVE-2026-32885 was published for github.com/ddev/ddev (Go) Apr 22, 2026
SnailSploit Credited to SnailSploit
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode Moderate
CVE-2026-25996 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
suidpit Credited to suidpit, ndaprela, eiffel-fl, and flyth ndaprela ndaprela
eiffel-fl eiffel-fl flyth flyth
Inspektor Gadget: Command Injection via malicious buildOptions manipulation Moderate
CVE-2026-24905 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
ndaprela Credited to ndaprela, suidpit, and eiffel-fl suidpit suidpit
eiffel-fl eiffel-fl
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset and vdemeester vdemeester vdemeester
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, and aThorp96 vdemeester vdemeester
aThorp96 aThorp96
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation Moderate
CVE-2026-40343 was published for github.com/free5gc/udr (Go) Apr 21, 2026
Giancannella Credited to Giancannella
OpenBao's SQL Injection in PostgreSQL database secrets engine Moderate
CVE-2026-39946 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
go-git: Credential leak via cross-host redirect in smart HTTP transport Moderate
GHSA-3xc5-wrhm-f963 was published for github.com/go-git/go-git/v5 (Go) Apr 17, 2026
N0zoM1z0 Credited to N0zoM1z0, AyushParkara, and celinke97 AyushParkara AyushParkara
celinke97 celinke97
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Moderate
CVE-2026-5052 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database