Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

53 advisories

Loading
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path Critical
GHSA-g53w-w6mj-hrpp was published for github.com/Kuadrant/mcp-gateway (Go) May 19, 2026
Bhuvanesh66 Credited to Bhuvanesh66
gittuf's policy can be rolled back to prior valid versions Moderate
CVE-2026-44544 was published for github.com/gittuf/gittuf (Go) May 7, 2026
andrew Credited to andrew
Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds` Moderate
CVE-2026-42572 was published for github.com/hatchet-dev/hatchet (Go) May 6, 2026
sajdakabir Credited to sajdakabir
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check Moderate
CVE-2026-44426 was published for github.com/shellhub-io/shellhub (Go) May 7, 2026
Edu0x01 Credited to Edu0x01
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data Moderate
CVE-2026-44423 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace Moderate
CVE-2026-44424 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
Velocidex Velociraptor has an authorization bypass vulnerability Moderate
CVE-2026-7573 was published for www.velocidex.com/golang/velociraptor (Go) May 6, 2026
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
Focalboard doesn't validate file ownership when serving uploaded files Moderate
CVE-2026-28736 was published for github.com/mattermost/focalboard (Go) Apr 3, 2026
Temporal Server: attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster Low
CVE-2026-5199 was published for go.temporal.io/server (Go) Apr 1, 2026
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR Critical
GHSA-2pv8-4c52-mf8j was published for code.vikunja.io/api (Go) Mar 26, 2026
offset Credited to offset
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion Moderate
CVE-2026-33700 was published for code.vikunja.io/api (Go) Mar 25, 2026
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check Moderate
CVE-2026-30886 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
Mistz1 Credited to Mistz1 and Calcium-Ion Calcium-Ion Calcium-Ion
Authorization Bypass Through User-Controlled Key in go-zero Critical
CVE-2024-27302 was published for github.com/zeromicro/go-zero (Go) Mar 4, 2024
cokeBeer Credited to cokeBeer
File Browser has an Authorization Policy Bypass in Public Share Download Flow Moderate
CVE-2026-32761 was published for https://github.com/filebrowser/filebrowser (Go) Mar 18, 2026
Ahmad-jarwan Credited to Ahmad-jarwan and hacdias hacdias hacdias
Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications Moderate
CVE-2026-2461 was published for github.com/mattermost/mattermost-plugin-boards (Go) Mar 16, 2026
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters Credited to tenbbughunters
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function High
CVE-2025-64523 was published for github.com/filebrowser/filebrowser/v2 (Go) Nov 13, 2025
bbodisteanu-hacken Credited to bbodisteanu-hacken and hacdias hacdias hacdias
Dozzle Agent Label-Based Access Control Bypass Allows Unauthorized Container Shell Access High
CVE-2026-24740 was published for github.com/amir20/dozzle (Go) Jan 27, 2026
k14uz Credited to k14uz
Distribution's token authentication allows to inject an untrusted signing key in a JWT High
CVE-2025-24976 was published for github.com/distribution/distribution/v3 (Go) Feb 11, 2025
evanebb Credited to evanebb
Mattermost Server has intermittent Authorization bypass for resource-owners High
CVE-2017-18894 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database