Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

251 advisories

Loading
File Browser has incorrect access control for public directory shares via rule path rebasing High
CVE-2026-54091 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection High
CVE-2026-48113 was published for github.com/jpillora/chisel (Go) Jun 12, 2026
mzfr Credited to mzfr
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands High
CVE-2026-48501 was published for github.com/cli/cli/v2 (Go) May 29, 2026
BagToad Credited to BagToad, kommendorkapten, babakks, and nophlyzone kommendorkapten kommendorkapten
babakks babakks nophlyzone nophlyzone
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL High
CVE-2026-45808 was published for github.com/openbao/openbao (Go) May 28, 2026
fg0x0 Credited to fg0x0
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability Moderate
CVE-2026-22872 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
b0b0haha Credited to b0b0haha
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Moderate
CVE-2026-45692 was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Mattermost doesn't check public/private permissions Moderate
CVE-2026-6343 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Low
CVE-2026-4286 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Moderate
CVE-2026-28732 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Low
CVE-2026-4273 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost does not verify remote cluster channel access when processing shared channel membership removals Moderate
CVE-2026-28759 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization High
CVE-2026-44882 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer has a bind-mount restriction bypass via HostConfig.Mounts High
CVE-2026-44850 was published for github.com/portainer/portainer (Go) May 14, 2026
offensiveee Credited to offensiveee, alexwaira, Proscan-one, jeroengui, AyushParkara, and marduc812 alexwaira alexwaira
Proscan-one Proscan-one jeroengui jeroengui AyushParkara AyushParkara marduc812 marduc812
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode Moderate
CVE-2026-45148 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse High
CVE-2026-44473 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions Critical
CVE-2026-44330 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests Low
CVE-2026-44283 was published for go.etcd.io/etcd (Go) May 7, 2026
SamyGhannad Credited to SamyGhannad
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database