GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,894 advisories
Filter by severity
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
Moderate
CVE-2026-54068
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
GoBGP confederation validation panics on empty AS_PATH attribute
Moderate
CVE-2026-49838
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries
Moderate
CVE-2026-49837
was published
for
github.com/osrg/gobgp/v4
(Go)
Jul 9, 2026
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
OpenRun: Redirect URL validation bypass using //host paths leads to Open Redirect
Moderate
CVE-2026-55252
was published
for
github.com/openrundev/openrun
(Go)
Jul 9, 2026
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
Moderate
CVE-2026-53602
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 9, 2026
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
Moderate
CVE-2026-50554
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Moderate
CVE-2026-53508
was published
for
github.com/oasdiff/oasdiff
(Go)
Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Moderate
CVE-2026-53572
was published
for
github.com/kedacore/keda/v2
(Go)
Jul 7, 2026
Kite has an authenticated cluster RBAC bypass in /api/v1/overview
Moderate
CVE-2026-53487
was published
for
github.com/zxh326/kite
(Go)
Jul 7, 2026
netfoil has a domain name filter bypass via multiple questions
Moderate
GHSA-59qp-cfj3-rp64
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
New API is vulnerable to CSRF through user email binding
Moderate
CVE-2026-44342
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Moderate
CVE-2026-55438
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Moderate
CVE-2026-55437
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Moderate
CVE-2026-55435
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Moderate
CVE-2026-55434
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Moderate
CVE-2026-55433
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Moderate
CVE-2026-55432
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Moderate
CVE-2026-55078
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Moderate
CVE-2026-55430
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Moderate
CVE-2026-55079
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
Moderate
CVE-2026-53935
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Moderate
CVE-2026-53624
was published
for
github.com/gofiber/fiber
(Go)
Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Moderate
CVE-2026-54637
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 6, 2026
SFTPGo has path confinement bypass in public browsable share partial ZIP download
Moderate
CVE-2026-49244
was published
for
github.com/drakkan/sftpgo/v2
(Go)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API