Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

435 advisories

Loading
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution Critical
CVE-2026-31886 was published for github.com/dagu-org/dagu (Go) Mar 13, 2026
NucleiAv Credited to NucleiAv
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass Critical
CVE-2026-32136 was published for github.com/AdguardTeam/AdGuardHome (Go) Mar 12, 2026
mandreko Credited to mandreko
Cosmos EVM: incorrect state handling during nested EVM execution paths Critical
GHSA-54gx-3cgr-7mfm was published for github.com/cosmos/evm (Go) Mar 11, 2026
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go Critical
GHSA-j443-wcqq-xprh was published for github.com/arslanbekov/terraform-provider-sendgrid (Go) Mar 11, 2026
aiell0 Credited to aiell0
Linkdave Missing Authentication on REST and WebSocket endpoints Critical
GHSA-xv8g-fj9h-6gmv was published for github.com/shi-gg/linkdave (Go) Mar 10, 2026
shi-gg Credited to shi-gg
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation Critical
CVE-2026-30861 was published for github.com/Tencent/WeKnora (Go) Mar 7, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Critical
CVE-2026-30860 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Broken Access Control in Tenant Management Critical
CVE-2026-30855 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import Critical
CVE-2026-30832 was published for github.com/charmbracelet/soft-serve (Go) Mar 6, 2026
vnykmshr Credited to vnykmshr
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure Critical
CVE-2026-27944 was published for github.com/0xJacky/Nginx-UI (Go) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Critical
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Critical
CVE-2026-28268 was published for code.vikunja.io/api (Go) Feb 28, 2026
VashuVats Credited to VashuVats
Vitess users with backup storage access can write to arbitrary file paths on restore Critical
CVE-2026-27969 was published for vitess.io/vitess (Go) Feb 27, 2026
NeuroWinter Credited to NeuroWinter
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Critical
CVE-2026-27575 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4 Credited to ByamB4
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
0x1f Credited to 0x1f
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database