Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

179 advisories

Loading
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality Moderate
CVE-2026-49835 was published for github.com/sigstore/timestamp-authority (Go) Jun 30, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Moderate
CVE-2026-53522 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Hysteria: http large header with sniff cause server DoS High
GHSA-jqc5-2p7q-fqfc was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria vulnerable to server crash when max_datagram_frame_size very small High
GHSA-qh5x-rfwf-rvfv was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic High
CVE-2026-48702 was published for github.com/sigstore/rekor (Go) Jun 25, 2026
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent Moderate
CVE-2026-48496 was published for go.opentelemetry.io/ebpf-profiler (Go) Jun 23, 2026
alban Credited to alban, christos68k, and florianl christos68k christos68k
florianl florianl
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
CVE-2026-52880 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
CVE-2026-52879 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion Moderate
CVE-2026-40898 was published for github.com/quic-go/quic-go (Go) Jun 3, 2026
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals Moderate
CVE-2026-45682 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
Mattermost doesn't limit the size of the request body on the start meeting API endpoint Moderate
CVE-2026-2325 was published for github.com/mattermost/mattermost-plugin-msteams-meetings (Go) May 18, 2026
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload High
CVE-2026-44697 was published for github.com/klever-io/klever-go (Go) May 13, 2026
fbsobreira Credited to fbsobreira
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens Moderate
CVE-2026-46405 was published for github.com/openbao/openbao (Go) May 28, 2026
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
KadirArslan Credited to KadirArslan
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
SpiceDB WriteRelationships fails silently if payload is too big Low
CVE-2025-64529 was published for github.com/authzed/spicedb (Go) Nov 13, 2025
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor High
CVE-2026-42294 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
Rudra2018 Credited to Rudra2018, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Moderate
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes High
CVE-2026-7776 was published for github.com/hashicorp/boundary (Go) May 5, 2026
ProTip! Advisories are also available from the GraphQL API