Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,894 advisories

Loading
SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon Moderate
CVE-2026-54068 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
geo-chen Credited to geo-chen
GoBGP confederation validation panics on empty AS_PATH attribute Moderate
CVE-2026-49838 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
acorn421 Credited to acorn421 and hibrian827 hibrian827 hibrian827
GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Moderate
CVE-2026-49837 was published for github.com/osrg/gobgp/v4 (Go) Jul 9, 2026
leo123-all Credited to leo123-all
sigstore-go has a multi-log threshold bypass via single compromised log Moderate
CVE-2026-49834 was published for github.com/sigstore/sigstore-go (Go) Jul 9, 2026
OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect Moderate
CVE-2026-55252 was published for github.com/openrundev/openrun (Go) Jul 9, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Moderate
CVE-2026-50554 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
Yunkaiwjs Credited to Yunkaiwjs and enchant97 enchant97 enchant97
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read) Moderate
CVE-2026-53508 was published for github.com/oasdiff/oasdiff (Go) Jul 7, 2026
KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping Moderate
CVE-2026-53572 was published for github.com/kedacore/keda/v2 (Go) Jul 7, 2026
mert2m Credited to mert2m
Kite has an authenticated cluster RBAC bypass in /api/v1/overview Moderate
CVE-2026-53487 was published for github.com/zxh326/kite (Go) Jul 7, 2026
DavidCarliez Credited to DavidCarliez
netfoil has a domain name filter bypass via multiple questions Moderate
GHSA-59qp-cfj3-rp64 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
New API is vulnerable to CSRF through user email binding Moderate
CVE-2026-44342 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
kyo-w Credited to kyo-w
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing Moderate
CVE-2026-55438 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component Moderate
CVE-2026-55437 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints Moderate
CVE-2026-55435 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints Moderate
CVE-2026-55434 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers Moderate
CVE-2026-55433 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement Moderate
CVE-2026-55432 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service Moderate
CVE-2026-55078 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access Moderate
CVE-2026-55430 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service Moderate
CVE-2026-55079 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation Moderate
CVE-2026-53935 was published for github.com/cilium/cilium (Go) Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check Moderate
CVE-2026-53624 was published for github.com/gofiber/fiber (Go) Jul 6, 2026
sondt99 Credited to sondt99, dungNHVhust, gaby, and ReneWerner87 dungNHVhust dungNHVhust
gaby gaby ReneWerner87 ReneWerner87
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile Moderate
CVE-2026-54637 was published for d7y.io/dragonfly/v2 (Go) Jul 6, 2026
tonghuaroot Credited to tonghuaroot and gaius-qi gaius-qi gaius-qi
SFTPGo has path confinement bypass in public browsable share partial ZIP download Moderate
CVE-2026-49244 was published for github.com/drakkan/sftpgo/v2 (Go) Jul 2, 2026
celinke97 Credited to celinke97
ProTip! Advisories are also available from the GraphQL API