GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
18 advisories
Filter by severity
melange QEMU runner could write files outside workspace directory
High
CVE-2026-24843
was published
for
chainguard.dev/melange
(Go)
Feb 3, 2026
melange pipeline working-directory could allow command injection
High
CVE-2026-24844
was published
for
chainguard.dev/melange
(Go)
Feb 3, 2026
melange affected by potential host command execution via license-check YAML mode patch pipeline
High
CVE-2026-25143
was published
for
chainguard.dev/melange
(Go)
Feb 4, 2026
apko has a path traversal in apko dirFS which allows filesystem writes outside base
High
CVE-2026-25121
was published
for
chainguard.dev/apko
(Go)
Feb 3, 2026
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams
High
CVE-2026-25140
was published
for
chainguard-dev/apko
(Go)
Feb 4, 2026
kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories
High
CVE-2026-28406
was published
for
github.com/chainguard-dev/kaniko
(Go)
Mar 1, 2026
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)
High
CVE-2026-26999
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 4, 2026
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
High
CVE-2026-29054
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 4, 2026
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required)
High
CVE-2026-31801
was published
for
zotregistry.dev/zot
(Go)
Mar 10, 2026
BuildKit's Malicious frontend can cause file escape outside of storage root
High
CVE-2026-33747
was published
for
github.com/moby/buildkit
(Go)
Mar 26, 2026
Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation
High
CVE-2026-35172
was published
for
github.com/distribution/distribution
(Go)
Apr 6, 2026
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
High
CVE-2026-33540
was published
for
github.com/distribution/distribution
(Go)
Apr 6, 2026
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
High
CVE-2026-29181
was published
for
go.opentelemetry.io/otel
(Go)
Apr 7, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
High
CVE-2026-42574
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
Moby has AuthZ plugin bypass when provided oversized request bodies
High
CVE-2026-34040
was published
for
github.com/docker/docker
(Go)
Mar 27, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API