Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

28 advisories

Loading
Authentication bypass issue in the Operator Console High
CVE-2021-41266 was published for github.com/minio/console (Go) Nov 15, 2021
Alevsk Credited to Alevsk
Dapr Dashboard vulnerable to Incorrect Access Control High
CVE-2022-38817 was published for github.com/dapr/dashboard (Go) Oct 4, 2022
Answer Missing Authentication for Critical Function High
CVE-2023-4815 was published for github.com/answerdev/answer (Go) Sep 7, 2023
Chisel's AUTH environment variable not respected in server entrypoint High
CVE-2024-43798 was published for github.com/jpillora/chisel (Go) Aug 27, 2024
lleyton Credited to lleyton, korewaChino, and jpillora korewaChino korewaChino
jpillora jpillora
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider High
CVE-2023-22650 was published for github.com/rancher/rancher (Go) Jun 17, 2024
Mattermost Fails to Enforce MFA on Plugin Endpoints High
CVE-2025-25068 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 21, 2025
Mattermost Confluence Plugin is Missing Authentication for Critical Function High
CVE-2025-44004 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Aug 11, 2025
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function High
CVE-2025-59358 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi Credited to gaius-qi
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha Credited to b0b0haha and gaius-qi gaius-qi gaius-qi
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0 Credited to xtle0o0
Unauthenticated Admission Webhook Endpoints in Yoke ATC High
CVE-2026-26055 was published for github.com/yokecd/yoke (Go) Feb 12, 2026
b0b0haha Credited to b0b0haha and lixingquzhi lixingquzhi lixingquzhi
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass High
CVE-2026-33203 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
mith36 Credited to mith36
kcp's cache server is accessible without authentication or authorization checks High
CVE-2026-39429 was published for github.com/kcp-dev/kcp (Go) Apr 8, 2026
ntnn Credited to ntnn
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe and ByteAfterlife ByteAfterlife ByteAfterlife
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads High
CVE-2026-40344 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim High
CVE-2026-42221 was published for github.com/0xJacky/Nginx-UI (Go) May 6, 2026
R1ZZG0D Credited to R1ZZG0D
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover High
CVE-2026-42222 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
Kakeru-Ishii Credited to Kakeru-Ishii
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
LinZiyuu Credited to LinZiyuu
LinZiyuu Credited to LinZiyuu
LinZiyuu Credited to LinZiyuu
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` High
CVE-2026-45088 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
ProTip! Advisories are also available from the GraphQL API