Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,630 advisories

Loading
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
CVE-2026-41589 was published for charm.land/wish/v2 (Go) Apr 18, 2026
evnsh Credited to evnsh, andreynering, and aymanbagabas andreynering andreynering
aymanbagabas aymanbagabas
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass Critical
CVE-2026-41574 was published for github.com/nhost/nhost (Go) Apr 18, 2026
skoveit Credited to skoveit
go-git: Credential leak via cross-host redirect in smart HTTP transport Moderate
CVE-2026-41506 was published for github.com/go-git/go-git/v5 (Go) Apr 17, 2026
N0zoM1z0 Credited to N0zoM1z0, AyushParkara, and celinke97 AyushParkara AyushParkara
celinke97 celinke97
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR High
CVE-2026-41433 was published for go.opentelemetry.io/obi (Go) Apr 17, 2026
MrAlias Credited to MrAlias and arminru arminru arminru
Dapr: Service Invocation path traversal ACL bypass High
CVE-2026-41491 was published for github.com/dapr/dapr (Go) Apr 17, 2026
JoshVanL Credited to JoshVanL, cicoyle, and acroca cicoyle cicoyle
acroca acroca
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Moderate
CVE-2026-3590 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace Low
CVE-2026-27769 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
Mattermost doesn't validate CSRF tokens on an authentication endpoint Moderate
CVE-2026-28741 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 17, 2026
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations High
CVE-2026-5807 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service High
CVE-2026-3605 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization High
CVE-2026-4525 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Moderate
CVE-2026-5052 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
Istio: SSRF via RequestAuthentication jwksUri Moderate
CVE-2026-41413 was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
CVE-2026-41323 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix) High
CVE-2026-41068 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
jrey8343 Credited to jrey8343
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider High
CVE-2026-40611 was published for github.com/go-acme/lego (Go) Apr 16, 2026
RealHurrison Credited to RealHurrison
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing High
CVE-2026-40303 was published for github.com/openziti/zrok (Go) Apr 16, 2026
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints Critical
CVE-2026-40173 was published for github.com/dgraph-io/dgraph (Go) Apr 16, 2026
komi22 Credited to komi22
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots Moderate
CVE-2026-39350 was published for istio.io/istio (Go) Apr 16, 2026
Wernerina Credited to Wernerina
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database