Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

333 advisories

Loading
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a resource leak in LRU cache Low
GHSA-3g4q-2f67-2gvh was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
SFTPGo has stored XSS via inline parameter on public shares and user file download Low
CVE-2026-49245 was published for github.com/drakkan/sftpgo/v2 (Go) Jul 2, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens Low
CVE-2026-48978 was published for oras.land/oras-go (Go) Jul 1, 2026
1seal Credited to 1seal
Concourse login flow has an open redirect issue Low
CVE-2026-49826 was published for github.com/concourse/concourse (Go) Jul 1, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
offset Credited to offset
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction Low
GHSA-v2jf-442r-6mjh was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration Low
CVE-2026-48709 was published for github.com/OliveTin/OliveTin (Go) Jun 24, 2026
offset Credited to offset
Gogs has DoS in rendering issue index pattern Low
CVE-2026-52796 was published for gogs.io/gogs (Go) Jun 22, 2026
BaiMeow Credited to BaiMeow
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected) Low
CVE-2026-44778 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Jun 22, 2026
ivanauth Credited to ivanauth and miparnisari miparnisari miparnisari
OpenBao's System Backend allows Unauthorized Management of the containing Namespace Low
CVE-2026-55775 was published for github.com/openbao/openbao (Go) Jun 19, 2026
satoqz Credited to satoqz
anir0y Credited to anir0y and 5ud0er 5ud0er 5ud0er
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers Low
CVE-2026-55670 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
livio-a Credited to livio-a and emgrav emgrav emgrav
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store Low
GHSA-6vgg-xhvh-38ff was published for github.com/juev/nebula-mesh (Go) Jun 12, 2026
ak2k Credited to ak2k
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic Low
CVE-2026-45723 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Authelia Missing Username Canonicalization in Basic Auth (LDAP) Low
CVE-2026-47203 was published for github.com/authelia/authelia/v4 (Go) May 29, 2026
Nadav0077 Credited to Nadav0077, james-d-elliott, nightah, and Crowley723 james-d-elliott james-d-elliott
nightah nightah Crowley723 Crowley723
opentelemetry-go's Schema ParseFile leaks file descriptors on each parse Low
CVE-2026-45287 was published for go.opentelemetry.io/otel/schema/v1.0 (Go) May 28, 2026
pellared Credited to pellared and MrAlias MrAlias MrAlias
Capsule Namespace Hijacking via subresource Low
CVE-2026-30963 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
xy585 Credited to xy585
ProTip! Advisories are also available from the GraphQL API