Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

459 advisories

Loading
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an argument injection in backup compression algorithm leading to AFW and ACE Critical
CVE-2026-48755 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has a restricted project bypass leading to arbitrary command execution Critical
CVE-2026-48751 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image Critical
CVE-2026-48750 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image Critical
CVE-2026-48749 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement Critical
CVE-2026-46595 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @revoked status Critical
CVE-2026-42508 was published for golang.org/x/crypto/ssh/knownhosts (Go) Jun 25, 2026
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes Critical
CVE-2026-39834 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed Critical
CVE-2026-39831 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses Critical
CVE-2026-39830 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys Critical
CVE-2026-39832 was published for golang.org/x/crypto/ssh/agent (Go) Jun 25, 2026
golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints Critical
CVE-2026-39833 was published for golang.org/x/crypto/ssh/agent (Go) Jun 25, 2026
Gogs has Path Traversal in organization name that results in RCE through Git hooks Critical
CVE-2026-52813 was published for gogs.io/gogs (Go) Jun 23, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Critical
CVE-2026-52811 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge Critical
CVE-2026-52806 was published for gogs.io/gogs (Go) Jun 23, 2026
Crypto-Cat Credited to Crypto-Cat
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag Critical
GHSA-wfqx-gjrf-g28r was published for github.com/crossplane/crossplane (Go) Jun 19, 2026
bugbunny-research Credited to bugbunny-research and tonghuaroot tonghuaroot tonghuaroot
Tilt: Missing authentication on the network-exposed Tilt HUD server Critical
CVE-2026-55884 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11717 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11718 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery Critical
CVE-2026-48031 was published for github.com/dhax/go-base (Go) Jun 10, 2026
saaa99999999 Credited to saaa99999999
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database