GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
21 advisories
Filter by severity
Tilt: Missing authentication on the network-exposed Tilt HUD server
Critical
CVE-2026-55884
was published
for
github.com/tilt-dev/tilt
(Go)
Jun 19, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Critical
CVE-2026-49980
was published
for
github.com/rclone/rclone
(Go)
Jun 16, 2026
Kopia: RCE via SSH ProxyCommand Injection
Critical
CVE-2026-45695
was published
for
github.com/kopia/kopia
(Go)
May 19, 2026
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
Critical
CVE-2026-45087
was published
for
github.com/hahwul/dalfox/v2
(Go)
May 12, 2026
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
Critical
CVE-2026-44329
was published
for
github.com/free5gc/smf
(Go)
May 8, 2026
free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
Critical
CVE-2026-44327
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
Critical
CVE-2026-41179
was published
for
github.com/rclone/rclone
(Go)
Apr 22, 2026
Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Critical
CVE-2026-41176
was published
for
github.com/rclone/rclone
(Go)
Apr 22, 2026
goshs has an empty-username SFTP password authentication bypass
Critical
CVE-2026-40884
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
Critical
CVE-2026-33032
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 30, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints
Critical
GHSA-xv8g-fj9h-6gmv
was published
for
github.com/shi-gg/linkdave
(Go)
Mar 10, 2026
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Critical
CVE-2026-27944
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 5, 2026
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
Critical
GHSA-6qr9-g2xw-cw92
was published
for
github.com/dagu-org/dagu
(Go)
Feb 19, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
Critical
CVE-2026-0650
was published
for
github.com/openflagr/flagr
(Go)
Jan 7, 2026
Ollama Platform has missing authentication enabling attackers to perform model management operations
Critical
CVE-2025-63389
was published
for
github.com/ollama/ollama
(Go)
Dec 18, 2025
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
Critical
CVE-2025-44005
was published
for
github.com/smallstep/certificates
(Go)
Dec 3, 2025
sing-box vulnerable to improper authentication in the SOCKS inbound
Critical
CVE-2023-43644
was published
for
github.com/sagernet/sing
(Go)
Sep 26, 2023
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
Critical
CVE-2023-37265
was published
for
github.com/IceWhaleTech/CasaOS-Gateway
(Go)
Jul 17, 2023
KubeView vulnerable to full cluster takeover due to improper authentication
Critical
CVE-2022-45933
was published
for
github.com/benc-uk/kubeview
(Go)
Nov 27, 2022
DevSpace vulnerable to remote code execution
Critical
CVE-2020-15391
was published
for
github.com/loft-sh/devspace
(Go)
May 24, 2022
ProTip!
Advisories are also available from the
GraphQL API