Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

70 advisories

Loading
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron Critical
CVE-2026-46716 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables Moderate
CVE-2026-46618 was published for github.com/fission/fission (Go) May 21, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Kopia: RCE via SSH ProxyCommand Injection Critical
CVE-2026-45695 was published for github.com/kopia/kopia (Go) May 19, 2026
berardinellidaniele Credited to berardinellidaniele
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter Moderate
CVE-2026-45626 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Fleet vulnerable to OS command injection in software packages Moderate
CVE-2026-26191 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution High
CVE-2026-45152 was published for gitlab.com/uniget-org/cli (Go) May 13, 2026
0x5t4l1n Credited to 0x5t4l1n
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action` Critical
CVE-2026-45087 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure High
GHSA-fc67-c4hg-q653 was published for github.com/aws/amazon-ecs-agent (Go) May 7, 2026
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection Critical
CVE-2026-42589 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
S-Senhaji Credited to S-Senhaji
Inspektor Gadget: Command Injection via malicious buildOptions manipulation Moderate
CVE-2026-24905 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
ndaprela Credited to ndaprela, suidpit, eiffel-fl, and burak-ok suidpit suidpit
eiffel-fl eiffel-fl burak-ok burak-ok
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied, ncw, and augustocesarperin ncw ncw
augustocesarperin augustocesarperin
PowerShell Command Injection in Podman HyperV Machine Moderate
CVE-2026-33414 was published for github.com/containers/podman/v4 (Go) Apr 14, 2026
KoreaSecurity Credited to KoreaSecurity
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
File Browser has a Command Injection via Hook Runner High
CVE-2026-35585 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
Saku0512 Credited to Saku0512
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods High
CVE-2026-34940 was published for github.com/kubeai-project/kubeai (Go) Apr 1, 2026
romain-deperne Credited to romain-deperne
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
Flannel has cross-node remote code execution via extension backend BackendData injection High
CVE-2026-32241 was published for github.com/flannel-io/flannel (Go) Mar 27, 2026
shachartal Credited to shachartal
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation Critical
CVE-2026-30861 was published for github.com/Tencent/WeKnora (Go) Mar 7, 2026
aleister1102 Credited to aleister1102
osctrl is Vulnerable to OS Command Injection via Environment Configuration High
CVE-2026-28279 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
Vitess users with backup storage access can gain unauthorized access to production deployment environments High
CVE-2026-27965 was published for vitess.io/vitess (Go) Feb 26, 2026
NeuroWinter Credited to NeuroWinter
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks Critical
CVE-2026-27626 was published for github.com/OliveTin/OliveTin (Go) Feb 25, 2026
ByamB4 Credited to ByamB4
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell Credited to ROPShell
melange affected by potential host command execution via license-check YAML mode patch pipeline High
CVE-2026-25143 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal Credited to 1seal, egibs, sil2100, and antitree egibs egibs
sil2100 sil2100 antitree antitree
melange pipeline working-directory could allow command injection High
CVE-2026-24844 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal Credited to 1seal, antitree, egibs, 89luca89, and eslerm antitree antitree
egibs egibs 89luca89 89luca89 eslerm eslerm
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database