Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,436 advisories

Loading
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
GHSA-68m9-983m-f3v5 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
mercure has Topic Selector Cache Key Collision High
GHSA-hwr4-mq23-wcv5 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
monetr: Protected Transactions Deletable via PUT Moderate
CVE-2026-39901 was published for github.com/monetr/monetr (Go) Apr 8, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, th3fallen, and elliotcourant Across-Verticals-Malaysia Across-Verticals-Malaysia
th3fallen th3fallen elliotcourant elliotcourant
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies Moderate
CVE-2026-39882 was published for go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp (Go) Apr 8, 2026
1seal Credited to 1seal and pellared pellared pellared
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
kcp's cache server is accessible without authentication or authorization checks High
CVE-2026-39429 was published for github.com/kcp-dev/kcp (Go) Apr 8, 2026
ntnn Credited to ntnn
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions Critical
CVE-2026-39846 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 8, 2026
ngocnn97 Credited to ngocnn97
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder Moderate
GHSA-xmrv-pmrh-hhx2 was published for github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream (Go) Apr 8, 2026
Cosign's verify-blob-attestation reports false positive when payload parsing fails Moderate
CVE-2026-39395 was published for github.com/sigstore/cosign (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands High
CVE-2026-35607 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check Moderate
CVE-2026-35606 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser share links remain accessible after Share/Download permissions are revoked High
CVE-2026-35604 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching Moderate
CVE-2026-35605 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser has a Command Injection via Hook Runner High
CVE-2026-35585 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
Saku0512 Credited to Saku0512
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) High
CVE-2026-29181 was published for go.opentelemetry.io/otel/baggage (Go) Apr 7, 2026
1seal Credited to 1seal and XSAM XSAM XSAM
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags High
GHSA-qmwh-9m9c-h36m was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
kodareef5 Credited to kodareef5
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature High
CVE-2026-35458 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
beryxz Credited to beryxz and drw0if drw0if drw0if
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision Moderate
CVE-2026-34972 was published for github.com/openfga/openfga (Go) Apr 7, 2026
bugbunny-research Credited to bugbunny-research
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation High
CVE-2026-4740 was published for open-cluster-management.io/ocm (Go) Apr 7, 2026
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers Moderate
CVE-2026-35480 was published for github.com/ipld/go-ipld-prime (Go) Apr 6, 2026
yuliyu123 Credited to yuliyu123
go.etcd.io/bbolt affected by index out-of-range vulnerability Moderate
CVE-2026-33817 was published for go.etcd.io/bbolt (Go) Apr 6, 2026
Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri High
GHSA-x3f4-v83f-7wp2 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
kodareef5 Credited to kodareef5
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database