Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

164 advisories

Loading
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval Moderate
CVE-2026-33029 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
OpenBao has Reflected XSS in its OIDC authentication error message Critical
CVE-2026-33758 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
OpenFGA has an Authorization Bypass through cached keys Moderate
CVE-2026-33729 was published for github.com/openfga/openfga (Go) Mar 26, 2026
justincoh Credited to justincoh and saad-h1 saad-h1 saad-h1
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
ingress-nginx comment-based nginx configuration injection High
CVE-2026-4342 was published for k8s.io/ingress-nginx (Go) Mar 20, 2026
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload Moderate
CVE-2026-30961 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes Moderate
CVE-2026-30915 was published for github.com/drakkan/sftpgo/v2 (Go) Mar 13, 2026
SM9 Infinity-Point Ciphertext Forgery Vulnerability Critical
CVE-2026-32614 was published for github.com/emmansun/gmsm (Go) Mar 13, 2026
Cameudis Credited to Cameudis and sunyxedu sunyxedu sunyxedu
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval Moderate
CVE-2026-31959 was published for github.com/anchore/quill (Go) Mar 11, 2026
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation High
CVE-2026-26308 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
botengyao Credited to botengyao, phlax, and agrawroh phlax phlax
agrawroh agrawroh
Envoy vulnerable to crash for scoped ip address during DNS Moderate
CVE-2026-26310 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
antoniovleonti Credited to antoniovleonti, agrawroh, botengyao, and phlax agrawroh agrawroh
botengyao botengyao phlax phlax
OliveTin has crash on NPE by calling APIs with invalid bindings or log references Moderate
GHSA-fwhj-785h-43hh was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
maru1009 Credited to maru1009
Agentgateway is missing parameter sanitization in MCP to OpenAPI conversion Moderate
CVE-2026-29791 was published for github.com/agentgateway/agentgateway (Go) Mar 5, 2026
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport High
CVE-2026-27590 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
dunglas Credited to dunglas and AbdrrahimDahmani AbdrrahimDahmani AbdrrahimDahmani
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Moderate
CVE-2026-27585 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
parrot409 Credited to parrot409
Go Ethereum affected by DoS via malicious p2p message High
CVE-2026-26314 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP High
CVE-2026-24895 was published for github.com/dunglas/frankenphp (Go) Feb 12, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani and dunglas dunglas dunglas
ingress-nginx's `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx High
CVE-2026-1580 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx High
CVE-2026-24512 was published for k8s.io/ingress-nginx (Go) Feb 4, 2026
go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message High
CVE-2026-22868 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
Yenya030 Credited to Yenya030
go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node High
CVE-2026-22862 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
flagd: Multiple Go Runtime CVEs Impact Security and Availability High
GHSA-4c5f-9mj4-m247 was published for github.com/open-feature/flagd/core (Go) Jan 5, 2026
pramod-ahire Credited to pramod-ahire
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations High
CVE-2025-62725 was published for github.com/docker/compose/v2 (Go) Oct 27, 2025
masasron Credited to masasron and shaked-seal shaked-seal shaked-seal
argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload High
CVE-2025-59537 was published for github.com/argoproj/argo-cd (Go) Sep 30, 2025
s0ngsari530 Credited to s0ngsari530, jake-ciolek, crenshaw-dev, and blakepettersson jake-ciolek jake-ciolek
crenshaw-dev crenshaw-dev blakepettersson blakepettersson
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning Critical
CVE-2025-59823 was published for github.com/gardener/gardener-extension-provider-aws (Go) Sep 25, 2025
petersutter Credited to petersutter, kon-angelo, hebelsan, JordanJordanov, and donistz kon-angelo kon-angelo
hebelsan hebelsan JordanJordanov JordanJordanov donistz donistz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database