GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
10 advisories
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Moderate
CVE-2026-41568
was published
for
github.com/docker/docker
(Go)
May 18, 2026
Docker: `PUT /containers/{id}/archive` executes container binary on the host
High
CVE-2026-41567
was published
for
github.com/docker/docker
(Go)
May 18, 2026
CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC
High
CVE-2026-33190
was published
for
github.com/coredns/coredns
(Go)
Apr 28, 2026
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass)
High
CVE-2026-33489
was published
for
github.com/coredns/coredns
(Go)
Apr 28, 2026
CoreDNS' DoQ worker pool does not bound stream backlog
High
CVE-2026-32934
was published
for
github.com/coredns/coredns
(Go)
Apr 28, 2026
Moby has AuthZ plugin bypass when provided oversized request bodies
High
CVE-2026-34040
was published
for
github.com/docker/docker
(Go)
Mar 27, 2026
etcd: Authorization bypasses in multiple APIs
High
CVE-2026-33413
was published
for
go.etcd.io/etcd
(Go)
Mar 20, 2026
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
High
CVE-2026-27588
was published
for
github.com/caddyserver/caddy/v2
(Go)
Feb 24, 2026
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
High
CVE-2026-27587
was published
for
github.com/caddyserver/caddy/v2
(Go)
Feb 24, 2026
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
High
CVE-2026-25949
was published
for
github.com/traefik/traefik/v3
(Go)
Feb 12, 2026
ProTip!
Advisories are also available from the
GraphQL API