GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
89 advisories
Filter by severity
Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)
Moderate
CVE-2026-48824
was published
for
github.com/axllent/mailpit
(Go)
Jul 1, 2026
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Moderate
CVE-2026-49835
was published
for
github.com/sigstore/timestamp-authority
(Go)
Jun 30, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Moderate
CVE-2026-53522
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
Moderate
CVE-2026-48496
was published
for
go.opentelemetry.io/ebpf-profiler
(Go)
Jun 23, 2026
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
Moderate
CVE-2026-40898
was published
for
github.com/quic-go/quic-go
(Go)
Jun 3, 2026
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
Moderate
CVE-2026-45682
was published
for
go.opentelemetry.io/obi
(Go)
May 18, 2026
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
Moderate
CVE-2026-44247
was published
for
volcano.sh/volcano
(Go)
May 8, 2026
Mattermost doesn't limit the size of the request body on the start meeting API endpoint
Moderate
CVE-2026-2325
was published
for
github.com/mattermost/mattermost-plugin-msteams-meetings
(Go)
May 18, 2026
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Moderate
CVE-2026-46405
was published
for
github.com/openbao/openbao
(Go)
May 28, 2026
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)
Moderate
CVE-2026-45712
was published
for
github.com/axllent/mailpit
(Go)
May 19, 2026
Incus is affected by unbounded binary import disk exhaustion
Moderate
CVE-2026-41685
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has Unbounded YAML Metadata Decode via Parsing
Moderate
CVE-2026-41648
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count
Moderate
GHSA-pj6q-4vq4-r8cg
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Mattermost MS Teams plugin doesn't limit the request body size on the /changes webhook endpoint
Moderate
CVE-2026-24661
was published
for
github.com/mattermost/mattermost-plugin-msteams
(Go)
Apr 9, 2026
Go Images vulnerable to an out-of-memory error via a crafted TIFF file
Moderate
CVE-2026-33809
was published
for
golang.org/x/image
(Go)
Mar 25, 2026
Quill has DoS via unbounded read of HTTP response body during notarization
Moderate
CVE-2026-31960
was published
for
github.com/anchore/quill
(Go)
Mar 11, 2026
Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing
Moderate
CVE-2026-31961
was published
for
github.com/anchore/quill
(Go)
Mar 11, 2026
Vikunja has File Size Limit Bypass via Vikunja Import
Moderate
CVE-2026-35602
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution
Moderate
GHSA-h9mw-h4qc-f5jf
was published
for
github.com/platform-mesh/kubernetes-graphql-gateway
(Go)
Apr 8, 2026
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers
Moderate
CVE-2026-35480
was published
for
github.com/ipld/go-ipld-prime
(Go)
Apr 6, 2026
go-git: Maliciously crafted idx file can cause asymmetric memory consumption
Moderate
CVE-2026-34165
was published
for
github.com/go-git/go-git/v5
(Go)
Mar 30, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service
Moderate
CVE-2026-33219
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
Moderate
CVE-2026-33621
was published
for
github.com/pinchtab/pinchtab
(Go)
Mar 24, 2026
Incus vulnerable to denial of source through crafted bucket backup file
Moderate
CVE-2026-33743
was published
for
github.com/lxc/incus
(Go)
Mar 27, 2026
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload
Moderate
CVE-2026-30961
was published
for
github.com/forceu/gokapi
(Go)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API