Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,822
Maven
5,000+
npm
4,448
NuGet
774
pip
4,218
Pub
12
RubyGems
970
Rust
1,089
Swift
47
Unreviewed advisories
All unreviewed
5,000+

2,822 advisories

Loading
chi has an open redirect vulnerability in the RedirectSlashes middleware Moderate
GHSA-mqqf-5wvp-8fh8 was published for github.com/go-chi/chi (Go) Jan 14, 2026
thanosgn
Credited to thanosgn
go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message High
CVE-2026-22868 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
Yenya030
Credited to Yenya030
go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node High
CVE-2026-22862 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal High
CVE-2026-22786 was published for github.com/flipped-aurora/gin-vue-admin (Go) Jan 13, 2026
D0ub1e-D
Credited to D0ub1e-D
Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass Moderate
CVE-2026-22772 was published for github.com/sigstore/fulcio (Go) Jan 13, 2026
morwn
Credited to morwn
Envoy Extension Policy lua scripts injection causes arbitrary command execution High
CVE-2026-22771 was published for github.com/envoyproxy/gateway (Go) Jan 13, 2026
rikatz rudrakhp
guydc arkodg
Credited to rikatz, rudrakhp, guydc, and arkodg
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails Moderate
CVE-2026-22689 was published for github.com/axllent/mailpit (Go) Jan 13, 2026
omarkurt
Credited to omarkurt
Cosign verification accepts any valid Rekor entry under certain conditions Moderate
CVE-2026-22703 was published for github.com/sigstore/cosign/v2 (Go) Jan 13, 2026
1seal
Credited to 1seal
Shiori is vulnerable to authentication bypass via a brute force attack Moderate
CVE-2025-60538 was published for github.com/go-shiori/shiori (Go) Jan 9, 2026
WeKnora has Command Injection in MCP stdio test Critical
CVE-2026-22688 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
im-soohyun
Credited to im-soohyun
WeKnora vulnerable to SQL Injection High
CVE-2026-22687 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
passer-W
Credited to passer-W
Soft Serve is missing an authorization check in LFS lock deletion Moderate
CVE-2026-22253 was published for github.com/charmbracelet/soft-serve (Go) Jan 8, 2026
Tomer-PL
Credited to Tomer-PL
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages Moderate
CVE-2025-68151 was published for github.com/coredns/coredns (Go) Jan 8, 2026
thevilledev
Credited to thevilledev
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources Moderate
CVE-2026-21885 was published for miniflux.app/v2 (Go) Jan 7, 2026
eclipse07077-ljw
Credited to eclipse07077-ljw
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak
Credited to r0binak
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt
Credited to omarkurt
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer Critical
CVE-2025-62877 was published for github.com/harvester/harvester-installer (Go) Jan 5, 2026
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass Moderate
GHSA-hjr9-wj7v-7hv8 was published for github.com/bishopfox/sliver (Go) Jan 5, 2026
0xkato
Credited to 0xkato
flagd: Multiple Go Runtime CVEs Impact Security and Availability High
GHSA-4c5f-9mj4-m247 was published for github.com/open-feature/flagd/core (Go) Jan 5, 2026
pramod-ahire
Credited to pramod-ahire
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type Low
GHSA-p4f6-h8jj-vfvf was published for github.com/mccutchen/go-httpbin (Go) Jan 2, 2026 withdrawn
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists Moderate
CVE-2025-69413 was published for code.gitea.io/gitea (Go) Jan 1, 2026
Temporal has an Incorrect Authorization vulnerability Moderate
CVE-2025-14987 was published for go.temporal.io/server (Go) Dec 30, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database