Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

26 advisories

Loading
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer Critical
CVE-2026-44935 was published for github.com/rancher/fleet (Go) Jul 1, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement Critical
CVE-2026-46595 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
LinZiyuu Credited to LinZiyuu
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
bbockelm Credited to bbockelm, brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson brianaydemir brianaydemir
jhiemstrawisc jhiemstrawisc matyasselmeci matyasselmeci williamnswanson williamnswanson
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token Critical
CVE-2026-6290 was published for www.velocidex.com/golang/velociraptor (Go) Apr 15, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API Critical
CVE-2026-32767 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
iconnnjka Credited to iconnnjka
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value Critical
CVE-2025-66719 was published for github.com/free5gc/nrf (Go) Jan 23, 2026
p0sql Credited to p0sql
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp Credited to evrardjp, budimanjojo, and gusfcarvalho budimanjojo budimanjojo
gusfcarvalho gusfcarvalho
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label Critical
CVE-2025-55205 was published for github.com/projectcapsule/capsule (Go) Aug 18, 2025
b0b0haha Credited to b0b0haha
Teleport allows remote authentication bypass Critical
CVE-2025-49825 was published for github.com/gravitational/teleport (Go) Jun 16, 2025
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations Critical
CVE-2025-27507 was published for github.com/zitadel/zitadel (Go) Mar 4, 2025
amit-laish Credited to amit-laish, livio-a, fforootd, and adlerhurst livio-a livio-a
fforootd fforootd adlerhurst adlerhurst
GoAuthentik vulnerable to Insufficient Authorization for several API endpoints Critical
CVE-2024-42490 was published for goauthentik.io (Go) Aug 22, 2024
m2a2 Credited to m2a2
fabedge has insecure permissions Critical
CVE-2024-36536 was published for github.com/fabedge/fabedge (Go) Jul 24, 2024
Grafana Fine-grained access control vulnerability Critical
CVE-2021-41244 was published for github.com/grafana/grafana (Go) May 14, 2024
Buildkit's interactive containers API does not validate entitlements check Critical
CVE-2024-23653 was published for github.com/moby/buildkit (Go) Jan 31, 2024
rmcnamara-snyk Credited to rmcnamara-snyk
Improper configuration of RBAC permissions obtaining cluster control permissions Critical
CVE-2023-33190 was published for github.com/labring/sealos (Go) Jun 30, 2023
DVKunion Credited to DVKunion
Privilege escalation in MOSN Critical
CVE-2021-32163 was published for mosn.io/mosn (Go) Feb 17, 2023
Users with any cluster secret update access may update out-of-bounds cluster secrets Critical
CVE-2023-23947 was published for github.com/argoproj/argo-cd (Go) Feb 16, 2023
crenshaw-dev Credited to crenshaw-dev
JWT audience claim is not verified Critical
CVE-2023-22482 was published for github.com/argoproj/argo-cd (Go) Jan 25, 2023
farcaller Credited to farcaller
Mattermost Server exposes OAuth personal access tokens to attackers Critical
CVE-2017-18884 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
ProTip! Advisories are also available from the GraphQL API