GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
338 advisories
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo/v6
(Go)
Mar 13, 2026
SM9 Infinity-Point Ciphertext Forgery Vulnerability
Critical
CVE-2026-32614
was published
for
github.com/emmansun/gmsm
(Go)
Mar 13, 2026
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Critical
CVE-2026-31886
was published
for
github.com/dagu-org/dagu
(Go)
Mar 13, 2026
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Critical
CVE-2024-25124
was published
for
github.com/gofiber/fiber/v2
(Go)
Feb 22, 2024
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Critical
CVE-2026-32136
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Mar 12, 2026
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go
Critical
GHSA-j443-wcqq-xprh
was published
for
github.com/arslanbekov/terraform-provider-sendgrid
(Go)
Mar 11, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints
Critical
GHSA-xv8g-fj9h-6gmv
was published
for
github.com/shi-gg/linkdave
(Go)
Mar 10, 2026
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage
Critical
CVE-2026-30869
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 7, 2026
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
Critical
CVE-2026-30832
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 6, 2026
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
Critical
CVE-2026-29191
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
WeKnora Vulnerable to Broken Access Control in Tenant Management
Critical
CVE-2026-30855
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool
Critical
CVE-2026-30860
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation
Critical
CVE-2026-30861
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 7, 2026
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
Critical
CVE-2026-29183
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 4, 2026
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
Critical
CVE-2026-29188
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 4, 2026
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Critical
CVE-2026-27944
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification
Critical
CVE-2026-25921
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints
Critical
CVE-2026-27112
was published
for
github.com/akuity/kargo
(Go)
Feb 19, 2026
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Critical
CVE-2026-28268
was published
for
code.vikunja.io/api
(Go)
Feb 28, 2026
ProTip!
Advisories are also available from the
GraphQL API