GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
333 advisories
Filter by severity
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a resource leak in LRU cache
Low
GHSA-3g4q-2f67-2gvh
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Low
CVE-2026-49254
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 2, 2026
SFTPGo has stored XSS via inline parameter on public shares and user file download
Low
CVE-2026-49245
was published
for
github.com/drakkan/sftpgo/v2
(Go)
Jul 2, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Low
CVE-2026-48978
was published
for
oras.land/oras-go
(Go)
Jul 1, 2026
Concourse login flow has an open redirect issue
Low
CVE-2026-49826
was published
for
github.com/concourse/concourse
(Go)
Jul 1, 2026
Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries
Low
GHSA-6c87-g9pw-78fx
was published
for
github.com/edgelesssys/contrast
(Go)
Jul 1, 2026
Authelia has an Edge Case Access Control Rule Mismatch
Low
CVE-2026-48794
was published
for
github.com/authelia/authelia/v4
(Go)
Jun 26, 2026
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction
Low
GHSA-v2jf-442r-6mjh
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 26, 2026
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Low
CVE-2026-48756
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Low
CVE-2026-48754
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration
Low
CVE-2026-48709
was published
for
github.com/OliveTin/OliveTin
(Go)
Jun 24, 2026
Gogs has DoS in rendering issue index pattern
Low
CVE-2026-52796
was published
for
gogs.io/gogs
(Go)
Jun 22, 2026
Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected)
Low
CVE-2026-44778
was published
for
github.com/inspektor-gadget/inspektor-gadget
(Go)
Jun 22, 2026
SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected
Low
CVE-2026-55866
was published
for
github.com/authzed/spicedb
(Go)
Jun 19, 2026
OpenBao's System Backend allows Unauthorized Management of the containing Namespace
Low
CVE-2026-55775
was published
for
github.com/openbao/openbao
(Go)
Jun 19, 2026
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808
Low
CVE-2026-55774
was published
for
github.com/openbao/openbao
(Go)
Jun 19, 2026
OpenFGA Improper Policy Enforcement
Low
CVE-2026-55170
was published
for
github.com/openfga/openfga
(Go)
Jun 18, 2026
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
Low
CVE-2026-55670
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
Low
CVE-2026-55671
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store
Low
GHSA-6vgg-xhvh-38ff
was published
for
github.com/juev/nebula-mesh
(Go)
Jun 12, 2026
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Low
CVE-2026-45723
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Low
CVE-2026-47203
was published
for
github.com/authelia/authelia/v4
(Go)
May 29, 2026
opentelemetry-go's Schema ParseFile leaks file descriptors on each parse
Low
CVE-2026-45287
was published
for
go.opentelemetry.io/otel/schema/v1.0
(Go)
May 28, 2026
Capsule Namespace Hijacking via subresource
Low
CVE-2026-30963
was published
for
github.com/projectcapsule/capsule
(Go)
May 28, 2026
ProTip!
Advisories are also available from the
GraphQL API