GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
125 advisories
Filter by severity
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context
Moderate
CVE-2026-53521
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
Moderate
CVE-2026-55701
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/githubreceiver
(Go)
Jun 18, 2026
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
Moderate
CVE-2026-55636
was published
for
github.com/projectcapsule/capsule
(Go)
Jun 17, 2026
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Moderate
CVE-2026-54324
was published
for
github.com/daytonaio/daytona
(Go)
Jun 17, 2026
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Moderate
CVE-2026-54761
was published
for
github.com/traefik/traefik
(Go)
Jun 17, 2026
Gitea: Token scope bypass on web archive download endpoint
Moderate
CVE-2026-20706
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Moderate
CVE-2026-49397
was published
for
github.com/nezhahq/nezha
(Go)
Jun 10, 2026
CAPM3 vulnerable to Cross-Namespace resource access
Moderate
GHSA-rf84-wr5g-m3rp
was published
for
github.com/metal3-io/cluster-api-provider-metal3
(Go)
May 29, 2026
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability
Moderate
CVE-2026-22872
was published
for
github.com/projectcapsule/capsule
(Go)
May 28, 2026
Mattermost allows authenticated users to gain access to private repositories
Moderate
CVE-2026-28735
was published
for
github.com/mattermost/mattermost-plugin-github
(Go)
May 26, 2026
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
Moderate
CVE-2026-47120
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Mattermost has an Incorrect Authorization issue
Moderate
CVE-2026-4055
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
May 21, 2026
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
Moderate
GHSA-gx7w-56w6-g48x
was published
for
github.com/caddyserver/caddy/v2
(Go)
May 19, 2026
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
Moderate
CVE-2026-45692
was published
for
github.com/caddyserver/caddy/v2
(Go)
May 19, 2026
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates
Moderate
CVE-2026-28732
was published
for
github.com/mattermost/mattermost-server
(Go)
May 18, 2026
Mattermost doesn't check public/private permissions
Moderate
CVE-2026-6343
was published
for
github.com/mattermost/mattermost-plugin-playbooks
(Go)
May 18, 2026
Mattermost does not verify remote cluster channel access when processing shared channel membership removals
Moderate
CVE-2026-28759
was published
for
github.com/mattermost/mattermost-server
(Go)
May 18, 2026
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
Moderate
CVE-2026-45148
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 13, 2026
Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`
Moderate
CVE-2026-42572
was published
for
github.com/hatchet-dev/hatchet
(Go)
May 6, 2026
Velocidex Velociraptor has an Incorrect Authorization issue
Moderate
CVE-2026-6863
was published
for
www.velocidex.com/golang/velociraptor
(Go)
May 6, 2026
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Moderate
CVE-2026-42220
was published
for
github.com/0xJacky/Nginx-UI
(Go)
May 5, 2026
Distribution's tag deletion bypasses `storage.delete.enabled` configuration
Moderate
CVE-2026-41888
was published
for
github.com/distribution/distribution
(Go)
May 4, 2026
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
Moderate
CVE-2026-41174
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
OpenFGA has Improper Policy Enforcement
Moderate
CVE-2026-41131
was published
for
github.com/openfga/openfga
(Go)
Apr 22, 2026
ProTip!
Advisories are also available from the
GraphQL API