Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,656
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,413 advisories

Loading
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers Moderate
CVE-2026-35480 was published for github.com/ipld/go-ipld-prime (Go) Apr 6, 2026
yuliyu123 Credited to yuliyu123
Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri High
GHSA-x3f4-v83f-7wp2 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
kodareef5 Credited to kodareef5
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation High
GHSA-jfwg-rxf3-p7r9 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
morimori-dev Credited to morimori-dev
Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation High
CVE-2026-35172 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm High
CVE-2026-33540 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Code Extension Marketplace: Zip Slip Path Traversal High
CVE-2026-35454 was published for github.com/coder/code-marketplace (Go) Apr 4, 2026
vamsik2k5 Credited to vamsik2k5
Hugo: Certain markdown links are not properly escaped Moderate
CVE-2026-35166 was published for github.com/gohugoio/hugo (Go) Apr 3, 2026
cataliniovita Credited to cataliniovita
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Critical
CVE-2026-35471 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
Juju has a resource poisoning vulnerability High
CVE-2025-68153 was published for github.com/juju/juju (Go) Apr 3, 2026
tlm Credited to tlm
Juju: Read All Controller Logs From Compromised Workload Moderate
CVE-2025-68152 was published for github.com/juju/juju (Go) Apr 3, 2026
tlm Credited to tlm
Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements High
CVE-2026-25773 was published for github.com/mattermost/focalboard (Go) Apr 3, 2026
Focalboard doesn't validate file ownership when serving uploaded files Moderate
CVE-2026-28736 was published for github.com/mattermost/focalboard (Go) Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload Critical
CVE-2026-35393 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload Critical
CVE-2026-35392 was published for github.com/patrickhener/goshs (Go) Apr 3, 2026
autobot23920 Credited to autobot23920
Antrea has Missing Encryption of Sensitive Data High
CVE-2026-34992 was published for antrea.io/antrea (Go) Apr 3, 2026
antoninbas Credited to antoninbas and xliuxu xliuxu xliuxu
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
Go JOSE Panics in JWE decryption High
CVE-2026-34986 was published for github.com/go-jose/go-jose (Go) Apr 3, 2026
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization Critical
CVE-2026-34976 was published for github.com/dgraph-io/dgraph (Go) Apr 2, 2026
kodareef5 Credited to kodareef5
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster Critical
CVE-2026-4370 was published for github.com/juju/juju (Go) Apr 2, 2026
hpidcock Credited to hpidcock, tlm, manadart, and wallyworld tlm tlm
manadart manadart wallyworld wallyworld
listmonk's active sessions remain valid after password reset and password change High
CVE-2026-34828 was published for github.com/knadh/listmonk (Go) Apr 1, 2026
0xmrma Credited to 0xmrma
Ferret: Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites High
CVE-2026-34783 was published for github.com/MontFerret/ferret (Go) Apr 1, 2026
DavidCarliez Credited to DavidCarliez
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods High
CVE-2026-34940 was published for github.com/kubeai-project/kubeai (Go) Apr 1, 2026
romain-deperne Credited to romain-deperne
Tesla Fleet Telemetry allows spoofing telemetry for arbitrary vehicles via compromised vehicle credentials Moderate
GHSA-prxj-3gcv-cqrh was published for github.com/teslamotors/fleet-telemetry (Go) Apr 1, 2026
yueyueL Credited to yueyueL
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database