GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
179 advisories
Filter by severity
Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)
Moderate
CVE-2026-48824
was published
for
github.com/axllent/mailpit
(Go)
Jul 1, 2026
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Moderate
CVE-2026-49835
was published
for
github.com/sigstore/timestamp-authority
(Go)
Jun 30, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Moderate
CVE-2026-53522
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Hysteria: http large header with sniff cause server DoS
High
GHSA-jqc5-2p7q-fqfc
was published
for
github.com/apernet/hysteria
(Go)
Jun 26, 2026
Hysteria vulnerable to server crash when max_datagram_frame_size very small
High
GHSA-qh5x-rfwf-rvfv
was published
for
github.com/apernet/hysteria
(Go)
Jun 26, 2026
Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic
High
CVE-2026-48702
was published
for
github.com/sigstore/rekor
(Go)
Jun 25, 2026
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
Moderate
CVE-2026-48496
was published
for
go.opentelemetry.io/ebpf-profiler
(Go)
Jun 23, 2026
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run
High
CVE-2026-52880
was published
for
github.com/klever-io/klever-go
(Go)
Jun 5, 2026
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS
High
CVE-2026-52879
was published
for
github.com/klever-io/klever-go
(Go)
Jun 5, 2026
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
Moderate
CVE-2026-40898
was published
for
github.com/quic-go/quic-go
(Go)
Jun 3, 2026
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
Moderate
CVE-2026-45682
was published
for
go.opentelemetry.io/obi
(Go)
May 18, 2026
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
Moderate
CVE-2026-44247
was published
for
volcano.sh/volcano
(Go)
May 8, 2026
SpdyStream: DOS on CRI
High
CVE-2026-35469
was published
for
github.com/moby/spdystream
(Go)
Apr 16, 2026
Mattermost doesn't limit the size of the request body on the start meeting API endpoint
Moderate
CVE-2026-2325
was published
for
github.com/mattermost/mattermost-plugin-msteams-meetings
(Go)
May 18, 2026
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload
High
CVE-2026-44697
was published
for
github.com/klever-io/klever-go
(Go)
May 13, 2026
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Moderate
CVE-2026-46405
was published
for
github.com/openbao/openbao
(Go)
May 28, 2026
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
High
CVE-2026-45713
was published
for
github.com/axllent/mailpit
(Go)
May 19, 2026
Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)
Moderate
CVE-2026-45712
was published
for
github.com/axllent/mailpit
(Go)
May 19, 2026
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder
High
GHSA-mx64-mj3q-7prj
was published
for
github.com/iskorotkov/avro/v2
(Go)
May 18, 2026
SpiceDB WriteRelationships fails silently if payload is too big
Low
CVE-2025-64529
was published
for
github.com/authzed/spicedb
(Go)
Nov 13, 2025
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
High
CVE-2026-42294
was published
for
github.com/argoproj/argo-workflows/v3
(Go)
May 4, 2026
Incus is affected by unbounded binary import disk exhaustion
Moderate
CVE-2026-41685
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
Incus has Unbounded YAML Metadata Decode via Parsing
Moderate
CVE-2026-41648
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
monetr: Server-side request forgery in Lunch Flow link creation and refresh
High
CVE-2026-41644
was published
for
github.com/monetr/monetr
(Go)
Apr 22, 2026
Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes
High
CVE-2026-7776
was published
for
github.com/hashicorp/boundary
(Go)
May 5, 2026
ProTip!
Advisories are also available from the
GraphQL API