GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
26 advisories
Filter by severity
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Critical
CVE-2026-44935
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
Critical
CVE-2026-44330
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Critical
CVE-2026-41050
was published
for
github.com/rancher/fleet
(Go)
May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
S3-Proxy has Security Issues in its Resource Path Matching Implementation
Critical
CVE-2026-42882
was published
for
github.com/oxyno-zeta/s3-proxy
(Go)
May 5, 2026
Pelican Web UI Affected by a Privilege Escalation Attack
Critical
CVE-2026-42571
was published
for
github.com/pelicanplatform/pelican
(Go)
May 4, 2026
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token
Critical
CVE-2026-6290
was published
for
www.velocidex.com/golang/velociraptor
(Go)
Apr 15, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)
Critical
CVE-2022-31247
was published
for
github.com/rancher/rancher
(Go)
Mar 3, 2026
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Critical
CVE-2026-27112
was published
for
github.com/akuity/kargo
(Go)
Feb 19, 2026
Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value
Critical
CVE-2025-66719
was published
for
github.com/free5gc/nrf
(Go)
Jan 23, 2026
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Critical
CVE-2026-22822
was published
for
github.com/external-secrets/external-secrets
(Go)
Jan 20, 2026
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
Critical
CVE-2025-55205
was published
for
github.com/projectcapsule/capsule
(Go)
Aug 18, 2025
Teleport allows remote authentication bypass
Critical
CVE-2025-49825
was published
for
github.com/gravitational/teleport
(Go)
Jun 16, 2025
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
Critical
CVE-2025-27507
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2025
GoAuthentik vulnerable to Insufficient Authorization for several API endpoints
Critical
CVE-2024-42490
was published
for
goauthentik.io
(Go)
Aug 22, 2024
fabedge has insecure permissions
Critical
CVE-2024-36536
was published
for
github.com/fabedge/fabedge
(Go)
Jul 24, 2024
Grafana Fine-grained access control vulnerability
Critical
CVE-2021-41244
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
Buildkit's interactive containers API does not validate entitlements check
Critical
CVE-2024-23653
was published
for
github.com/moby/buildkit
(Go)
Jan 31, 2024
Improper configuration of RBAC permissions obtaining cluster control permissions
Critical
CVE-2023-33190
was published
for
github.com/labring/sealos
(Go)
Jun 30, 2023
Privilege escalation in MOSN
Critical
CVE-2021-32163
was published
for
mosn.io/mosn
(Go)
Feb 17, 2023
Users with any cluster secret update access may update out-of-bounds cluster secrets
Critical
CVE-2023-23947
was published
for
github.com/argoproj/argo-cd
(Go)
Feb 16, 2023
JWT audience claim is not verified
Critical
CVE-2023-22482
was published
for
github.com/argoproj/argo-cd
(Go)
Jan 25, 2023
Mattermost Server exposes OAuth personal access tokens to attackers
Critical
CVE-2017-18884
was published
for
github.com/mattermost/mattermost-server
(Go)
May 24, 2022
ProTip!
Advisories are also available from the
GraphQL API