Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

89 advisories

Loading
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality Moderate
CVE-2026-49835 was published for github.com/sigstore/timestamp-authority (Go) Jun 30, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Moderate
CVE-2026-53522 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent Moderate
CVE-2026-48496 was published for go.opentelemetry.io/ebpf-profiler (Go) Jun 23, 2026
alban Credited to alban, christos68k, and florianl christos68k christos68k
florianl florianl
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion Moderate
CVE-2026-40898 was published for github.com/quic-go/quic-go (Go) Jun 3, 2026
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals Moderate
CVE-2026-45682 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
Mattermost doesn't limit the size of the request body on the start meeting API endpoint Moderate
CVE-2026-2325 was published for github.com/mattermost/mattermost-plugin-msteams-meetings (Go) May 18, 2026
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens Moderate
CVE-2026-46405 was published for github.com/openbao/openbao (Go) May 28, 2026
KadirArslan Credited to KadirArslan
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Moderate
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count Moderate
GHSA-pj6q-4vq4-r8cg was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Mattermost MS Teams plugin doesn't limit the request body size on the /changes webhook endpoint Moderate
CVE-2026-24661 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Apr 9, 2026
Go Images vulnerable to an out-of-memory error via a crafted TIFF file Moderate
CVE-2026-33809 was published for golang.org/x/image (Go) Mar 25, 2026
ZephrFish Credited to ZephrFish
Quill has DoS via unbounded read of HTTP response body during notarization Moderate
CVE-2026-31960 was published for github.com/anchore/quill (Go) Mar 11, 2026
opera-aklajn Credited to opera-aklajn
Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing Moderate
CVE-2026-31961 was published for github.com/anchore/quill (Go) Mar 11, 2026
opera-aklajn Credited to opera-aklajn
Vikunja has File Size Limit Bypass via Vikunja Import Moderate
CVE-2026-35602 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers Moderate
CVE-2026-35480 was published for github.com/ipld/go-ipld-prime (Go) Apr 6, 2026
yuliyu123 Credited to yuliyu123
go-git: Maliciously crafted idx file can cause asymmetric memory consumption Moderate
CVE-2026-34165 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
Incus vulnerable to denial of source through crafted bucket backup file Moderate
CVE-2026-33743 was published for github.com/lxc/incus (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload Moderate
CVE-2026-30961 was published for github.com/forceu/gokapi (Go) Mar 13, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
ProTip! Advisories are also available from the GraphQL API