Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,164
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,458
Pub
12
RubyGems
991
Rust
1,184
Swift
50
Unreviewed advisories
All unreviewed
5,000+

10 advisories

Loading
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly Moderate
CVE-2026-26330 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
phlax Credited to phlax, botengyao, and agrawroh botengyao botengyao
agrawroh agrawroh
Envoy: HTTP - filter chain execution on reset streams causing UAF crash Moderate
CVE-2026-26311 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
MushroomWasp Credited to MushroomWasp, agrawroh, yanavlasov, botengyao, and phlax agrawroh agrawroh
yanavlasov yanavlasov botengyao botengyao phlax phlax
Envoy affected by off-by-one write in JsonEscaper::escapeString() Moderate
CVE-2026-26309 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
Finder16 Credited to Finder16, agrawroh, phlax, and botengyao agrawroh agrawroh
phlax phlax botengyao botengyao
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, and agrawroh phlax phlax
agrawroh agrawroh
Envoy vulnerable to crash for scoped ip address during DNS Moderate
CVE-2026-26310 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
antoniovleonti Credited to antoniovleonti, agrawroh, botengyao, and phlax agrawroh agrawroh
botengyao botengyao phlax phlax
Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte Moderate
CVE-2025-66220 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao Credited to botengyao, phlax, ggreenway, yanavlasov, and agrawroh phlax phlax
ggreenway ggreenway yanavlasov yanavlasov agrawroh agrawroh
Envoy forwards early CONNECT data in TCP proxy mode Low
CVE-2025-64763 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao Credited to botengyao, phlax, yanavlasov, agrawroh, and chasingimpact phlax phlax
yanavlasov yanavlasov agrawroh agrawroh chasingimpact chasingimpact
Envoy crashes when JWT authentication is configured with the remote JWKS fetching Moderate
CVE-2025-64527 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao Credited to botengyao, phlax, agrawroh, and yanavlasov phlax phlax
agrawroh agrawroh yanavlasov yanavlasov
Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults High
CVE-2025-54588 was published for github.com/envoyproxy/envoy (Go) Sep 15, 2025
agrawroh Credited to agrawroh, yanavlasov, phlax, and botengyao yanavlasov yanavlasov
phlax phlax botengyao botengyao
Envoy crashes when HTTP ext_proc processes local replies Moderate
CVE-2025-30157 was published for github.com/envoyproxy/envoy (Go) Mar 21, 2025
botengyao Credited to botengyao, yanjunxiang-google, and phlax yanjunxiang-google yanjunxiang-google
phlax phlax
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database