Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,619
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

3,399 advisories

Loading
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload Critical
CVE-2026-35393 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload Critical
CVE-2026-35392 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
Antrea has Missing Encryption of Sensitive Data High
CVE-2026-34992 was published for antrea.io/antrea (Go) Apr 3, 2026
antoninbas Credited to antoninbas and xliuxu xliuxu xliuxu
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
Go JOSE Panics in JWE decryption High
CVE-2026-34986 was published for github.com/go-jose/go-jose (Go) Apr 3, 2026
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization Critical
CVE-2026-34976 was published for github.com/dgraph-io/dgraph (Go) Apr 2, 2026
kodareef5 Credited to kodareef5
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster Critical
CVE-2026-4370 was published for github.com/juju/juju (Go) Apr 2, 2026
hpidcock Credited to hpidcock, tlm, manadart, and wallyworld tlm tlm
manadart manadart wallyworld wallyworld
listmonk's active sessions remain valid after password reset and password change High
CVE-2026-34828 was published for github.com/knadh/listmonk (Go) Apr 1, 2026
0xmrma Credited to 0xmrma
Ferret: Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites High
CVE-2026-34783 was published for github.com/MontFerret/ferret (Go) Apr 1, 2026
DavidCarliez Credited to DavidCarliez
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods High
CVE-2026-34940 was published for github.com/kubeai-project/kubeai (Go) Apr 1, 2026
romain-deperne Credited to romain-deperne
Tesla Fleet Telemetry allows spoofing telemetry for arbitrary vehicles via compromised vehicle credentials Moderate
GHSA-prxj-3gcv-cqrh was published for github.com/teslamotors/fleet-telemetry (Go) Apr 1, 2026
yueyueL Credited to yueyueL
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber Low
CVE-2026-34762 was published for github.com/ellanetworks/core (Go) Apr 1, 2026
offset Credited to offset
Ella Core Panics Upon NGAP handover failure Moderate
CVE-2026-34761 was published for github.com/ellanetworks/core (Go) Apr 1, 2026
offset Credited to offset
DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost High
CVE-2026-34742 was published for github.com/modelcontextprotocol/go-sdk (Go) Apr 1, 2026
JLLeitschuh Credited to JLLeitschuh
NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner Moderate
GHSA-rxmp-8h9v-56cx was published for github.com/netbirdio/netbird (Go) Apr 1, 2026
sabancihan Credited to sabancihan
goshs has Auth Bypass via Share Token High
CVE-2026-34581 was published for github.com/patrickhener/goshs (Go) Apr 1, 2026
marduc812 Credited to marduc812
Tinyauth has OAuth account confusion via shared mutable state on singleton service instances High
CVE-2026-33544 was published for github.com/steveiliop56/tinyauth (Go) Apr 1, 2026
kq5y Credited to kq5y
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution High
CVE-2026-34585 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
ngocnn97 Credited to ngocnn97
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection Moderate
CVE-2026-34530 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file High
CVE-2026-34529 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark High
CVE-2026-34453 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database