GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
93 advisories
Filter by severity
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Blnk has an API key authorization bypass in owner and scope enforcement
High
GHSA-wcr3-9x4c-f5gj
was published
for
github.com/blnkfinance/blnk
(Go)
Jun 26, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
High
CVE-2026-46717
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Gogs's write-level collaborators can mutate admin-only repository settings via API
High
CVE-2026-52808
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
containerd CRI checkpoint restore CDI annotation smuggling
High
CVE-2026-53492
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
High
CVE-2026-55672
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
High
CVE-2026-24791
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
High
CVE-2026-22555
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
High
CVE-2026-26231
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
High
CVE-2026-28699
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
High
CVE-2026-28744
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
High
CVE-2026-54321
was published
for
github.com/daytonaio/daytona
(Go)
Jun 16, 2026
File Browser has incorrect access control for public directory shares via rule path rebasing
High
CVE-2026-54091
was published
for
github.com/filebrowser/filebrowser
(Go)
Jun 12, 2026
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection
High
CVE-2026-48113
was published
for
github.com/jpillora/chisel
(Go)
Jun 12, 2026
DevGuard has improper authorization on public assets
High
CVE-2026-48089
was published
for
github.com/l3montree-dev/devguard
(Go)
Jun 11, 2026
GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands
High
CVE-2026-48501
was published
for
github.com/cli/cli/v2
(Go)
May 29, 2026
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
High
CVE-2026-44882
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
Portainer has a bind-mount restriction bypass via HostConfig.Mounts
High
CVE-2026-44850
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
High
CVE-2026-44473
was published
for
github.com/ellanetworks/core
(Go)
May 11, 2026
OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL
High
CVE-2026-45808
was published
for
github.com/openbao/openbao
(Go)
May 28, 2026
Moby has AuthZ plugin bypass when provided oversized request bodies
High
CVE-2026-34040
was published
for
github.com/docker/docker
(Go)
Mar 27, 2026
Unauthorized access to Argo Workflows Template
High
CVE-2026-28229
was published
for
github.com/argoproj/argo-workflows/v3
(Go)
Mar 11, 2026
Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure
High
CVE-2026-42296
was published
for
github.com/argoproj/argo-workflows/v3
(Go)
May 4, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
High
CVE-2026-41432
was published
for
github.com/QuantumNous/new-api
(Go)
Apr 24, 2026
ProTip!
Advisories are also available from the
GraphQL API