Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,295 advisories

Loading
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content Critical
CVE-2026-50551 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
Yunkaiwjs Credited to Yunkaiwjs
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() Critical
CVE-2026-54158 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist Critical
CVE-2026-54069 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
oduoke567 Credited to oduoke567
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() Critical
CVE-2026-54067 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
GoBGP confederation validation panics on empty AS_PATH attribute Moderate
CVE-2026-49838 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
acorn421 Credited to acorn421 and hibrian827 hibrian827 hibrian827
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Moderate
CVE-2026-49837 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
leo123-all Credited to leo123-all
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Moderate
CVE-2026-50554 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
Yunkaiwjs Credited to Yunkaiwjs and enchant97 enchant97 enchant97
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE Critical
CVE-2026-52831 was published for github.com/nuclio/nuclio (Go) Jul 8, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping Moderate
CVE-2026-53572 was published for github.com/kedacore/keda/v2 (Go) Jul 7, 2026
mert2m Credited to mert2m
ProTip! Advisories are also available from the GraphQL API