GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
96 advisories
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
Moderate
CVE-2026-46618
was published
for
github.com/fission/fission
(Go)
May 21, 2026
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
High
CVE-2026-46617
was published
for
github.com/fission/fission
(Go)
May 21, 2026
Neko has a Self-service Privilege Escalation for Authenticated Users
High
CVE-2026-39386
was published
for
github.com/m1k1o/neko/server
(Go)
Apr 21, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
Vikunja vulnerable to Privilege Escalation via Project Reparenting
High
CVE-2026-35595
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
High
CVE-2026-35607
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Apr 8, 2026
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
High
CVE-2026-34528
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 31, 2026
Ella Core has Privilege Escalation via Database Restore by NetworkManager role
High
CVE-2026-33906
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Rancher's Azure AD permission changes are not reflected on active sessions
High
CVE-2023-22648
was published
for
github.com/rancher/rancher
(Go)
Mar 3, 2026
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
High
CVE-2026-27899
was published
for
github.com/h44z/wg-portal
(Go)
Feb 26, 2026
FrankenPHP leaks session data between requests in worker mode
High
CVE-2026-24894
was published
for
github.com/dunglas/frankenphp
(Go)
Feb 12, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Critical
CVE-2026-22039
was published
for
github.com/kyverno/kyverno
(Go)
Jan 27, 2026
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
High
CVE-2025-64761
was published
for
github.com/openbao/openbao
(Go)
Nov 24, 2025
LXD vulnerable to a local privilege escalation through custom storage volumes
High
GHSA-3g2j-vm47-x4mj
was published
for
github.com/canonical/lxd
(Go)
Nov 13, 2025
Incus vulnerable to local privilege escalation through custom storage volumes
High
CVE-2025-64507
was published
for
github.com/lxc/incus/v6
(Go)
Nov 13, 2025
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
Moderate
CVE-2025-64436
was published
for
kubevirt.io/kubevirt
(Go)
Nov 6, 2025
Coder vulnerable to privilege escalation could lead to a cross workspace compromise
High
CVE-2025-58437
was published
for
github.com/coder/coder/v2
(Go)
Sep 5, 2025
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
High
CVE-2025-53942
was published
for
goauthentik.io
(Go)
Jul 22, 2025
Gardener allows bypassing project secret validation which can lead to privilege escalation
Critical
CVE-2025-47283
was published
for
github.com/gardener/gardener
(Go)
May 19, 2025
Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation
Critical
CVE-2025-47282
was published
for
github.com/gardener/external-dns-management
(Go)
May 19, 2025
ProTip!
Advisories are also available from the
GraphQL API