GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
28 advisories
Filter by severity
Authentication bypass issue in the Operator Console
High
CVE-2021-41266
was published
for
github.com/minio/console
(Go)
Nov 15, 2021
Dapr Dashboard vulnerable to Incorrect Access Control
High
CVE-2022-38817
was published
for
github.com/dapr/dashboard
(Go)
Oct 4, 2022
Answer Missing Authentication for Critical Function
High
CVE-2023-4815
was published
for
github.com/answerdev/answer
(Go)
Sep 7, 2023
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
High
CVE-2023-22650
was published
for
github.com/rancher/rancher
(Go)
Jun 17, 2024
Chisel's AUTH environment variable not respected in server entrypoint
High
CVE-2024-43798
was published
for
github.com/jpillora/chisel
(Go)
Aug 27, 2024
Mattermost Fails to Enforce MFA on Plugin Endpoints
High
CVE-2025-25068
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
Mar 21, 2025
Mattermost Confluence Plugin is Missing Authentication for Critical Function
High
CVE-2025-44004
was published
for
github.com/mattermost/mattermost-plugin-confluence
(Go)
Aug 11, 2025
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
High
CVE-2025-59358
was published
for
github.com/chaos-mesh/chaos-mesh
(Go)
Sep 15, 2025
Dragonfly doesn't have authentication enabled for some Manager’s endpoints
High
CVE-2025-59345
was published
for
d7y.io/dragonfly/v2
(Go)
Sep 17, 2025
Dragonfly Manager Job API Unauthenticated Access
High
CVE-2026-24124
was published
for
d7y.io/dragonfly/v2
(Go)
Jan 22, 2026
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service
High
CVE-2026-25791
was published
for
github.com/bishopfox/sliver
(Go)
Feb 6, 2026
Unauthenticated Admission Webhook Endpoints in Yoke ATC
High
CVE-2026-26055
was published
for
github.com/yokecd/yoke
(Go)
Feb 12, 2026
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
High
CVE-2026-30933
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Mar 9, 2026
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
High
CVE-2026-33203
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 18, 2026
kcp's cache server is accessible without authentication or authorization checks
High
CVE-2026-39429
was published
for
github.com/kcp-dev/kcp
(Go)
Apr 8, 2026
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads
High
CVE-2026-40344
was published
for
github.com/minio/minio
(Go)
Apr 14, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
High
CVE-2026-39858
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
High
CVE-2026-42221
was published
for
github.com/0xJacky/Nginx-UI
(Go)
May 6, 2026
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
High
CVE-2026-42222
was published
for
github.com/0xJacky/nginx-ui
(Go)
May 6, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source
High
CVE-2026-42283
was published
for
github.com/loft-sh/devspace
(Go)
May 6, 2026
free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
High
CVE-2026-44320
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
High
CVE-2026-44321
was published
for
github.com/free5gc/smf
(Go)
May 8, 2026
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
High
CVE-2026-44328
was published
for
github.com/free5gc/smf
(Go)
May 8, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file`
High
CVE-2026-45088
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
High
CVE-2026-45089
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
ProTip!
Advisories are also available from the
GraphQL API