Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

435 advisories

Loading
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure Critical
CVE-2025-66630 was published for github.com/gofiber/fiber/v2 (Go) Feb 9, 2026
sixcolors Credited to sixcolors
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell Credited to ROPShell
FrankenPHP has delayed propagation of security fixes in upstream base images Critical
GHSA-x9p2-77v6-6vhf was published for github.com/dunglas/frankenphp (Go) Feb 5, 2026
opctim Credited to opctim and dunglas dunglas dunglas
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern Critical
CVE-2025-62878 was published for github.com/rancher/local-path-provisioner (Go) Feb 4, 2026
Alist has Insecure TLS Config Critical
CVE-2026-25160 was published for github.com/alist-org/alist/v3 (Go) Feb 4, 2026
XlabAITeam Credited to XlabAITeam, A7um, and okatu-loli A7um A7um
okatu-loli okatu-loli
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints Critical
CVE-2026-25579 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
yunfachi Credited to yunfachi
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
CVE-2026-25539 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech Credited to thxtech
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev Credited to thevilledev
Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value Critical
CVE-2025-66719 was published for github.com/free5gc/nrf (Go) Jan 23, 2026
p0sql Credited to p0sql
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and JordanMontgomery JordanMontgomery JordanMontgomery
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp Credited to evrardjp, budimanjojo, and gusfcarvalho budimanjojo budimanjojo
gusfcarvalho gusfcarvalho
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE Critical
CVE-2026-23520 was published for github.com/getarcaneapp/arcane/backend (Go) Jan 15, 2026
DenizParlak Credited to DenizParlak
WeKnora has Command Injection in MCP stdio test Critical
CVE-2026-22688 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
im-soohyun Credited to im-soohyun
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak Credited to r0binak
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer Critical
CVE-2025-62877 was published for github.com/harvester/harvester-installer (Go) Jan 5, 2026
Ollama Platform has missing authentication enabling attackers to perform model management operations Critical
CVE-2025-63389 was published for github.com/ollama/ollama (Go) Dec 18, 2025
OpenShift GitOps authenticated attackers can obtain cluster root access through forged ArgoCD custom resources Critical
CVE-2025-13888 was published for github.com/redhat-developer/gitops-operator (Go) Dec 15, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login Critical
CVE-2025-67494 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish Credited to amit-laish and livio-a livio-a livio-a
Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values Critical
CVE-2025-66565 was published for github.com/gofiber/utils (Go) Dec 8, 2025
sixcolors Credited to sixcolors
Step CA Has Authorization Bypass in ACME and SCEP Provisioners Critical
CVE-2025-44005 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Mattermost fails to to verify the token used during code exchange Critical
CVE-2025-12421 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Critical
CVE-2025-12419 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction Critical
GHSA-rj4j-2jph-gg43 was published for github.com/lf-edge/ekuiper/v2 (Go) Nov 24, 2025
odaysec Credited to odaysec and kochrac kochrac kochrac
Grafana Incorrect Privilege Assignment vulnerability Critical
CVE-2025-41115 was published for github.com/grafana/grafana (Go) Nov 21, 2025
cdupuis Credited to cdupuis
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database