Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

125 advisories

Loading
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Moderate
CVE-2026-53521 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
baradika Credited to baradika
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint Moderate
CVE-2026-41262 was published for github.com/fleetdm/fleet/v4 (Go) Jun 26, 2026
offset Credited to offset
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication Moderate
CVE-2026-55701 was published for github.com/open-telemetry/opentelemetry-collector-contrib/receiver/githubreceiver (Go) Jun 18, 2026
kodareef5 Credited to kodareef5
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Moderate
CVE-2026-55636 was published for github.com/projectcapsule/capsule (Go) Jun 17, 2026
character-s Credited to character-s
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join Moderate
CVE-2026-54324 was published for github.com/daytonaio/daytona (Go) Jun 17, 2026
vnth4nhnt Credited to vnth4nhnt
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability Moderate
CVE-2026-22872 was published for github.com/projectcapsule/capsule (Go) May 28, 2026
b0b0haha Credited to b0b0haha
Mattermost allows authenticated users to gain access to private repositories Moderate
CVE-2026-28735 was published for github.com/mattermost/mattermost-plugin-github (Go) May 26, 2026
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Moderate
CVE-2026-47120 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Mattermost has an Incorrect Authorization issue Moderate
CVE-2026-4055 was published for github.com/mattermost/mattermost/server/v8 (Go) May 21, 2026
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching Moderate
GHSA-gx7w-56w6-g48x was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Moderate
CVE-2026-45692 was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
Amemoyoi Credited to Amemoyoi
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Moderate
CVE-2026-28732 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Mattermost doesn't check public/private permissions Moderate
CVE-2026-6343 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) May 18, 2026
Mattermost does not verify remote cluster channel access when processing shared channel membership removals Moderate
CVE-2026-28759 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode Moderate
CVE-2026-45148 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds` Moderate
CVE-2026-42572 was published for github.com/hatchet-dev/hatchet (Go) May 6, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
Velocidex Velociraptor has an Incorrect Authorization issue Moderate
CVE-2026-6863 was published for www.velocidex.com/golang/velociraptor (Go) May 6, 2026
Distribution's tag deletion bypasses `storage.delete.enabled` configuration Moderate
CVE-2026-41888 was published for github.com/distribution/distribution (Go) May 4, 2026
joonas Credited to joonas
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate
CVE-2026-41174 was published for github.com/traefik/traefik (Go) Apr 24, 2026
tamemghq Credited to tamemghq
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API