Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,545 advisories

Loading
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query High
CVE-2026-44840 was published for github.com/dgraph-io/dgraph/v25 (Go) Jun 29, 2026
SnailSploit Credited to SnailSploit
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists High
CVE-2026-49339 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host High
CVE-2026-49340 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
Blnk has an API key authorization bypass in owner and scope enforcement High
GHSA-wcr3-9x4c-f5gj was published for github.com/blnkfinance/blnk (Go) Jun 26, 2026
Shivam8584 Credited to Shivam8584
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete) High
CVE-2026-49258 was published for github.com/juev/nebula-mesh (Go) Jun 26, 2026
ak2k Credited to ak2k
Hysteria: http large header with sniff cause server DoS High
GHSA-jqc5-2p7q-fqfc was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria vulnerable to server crash when max_datagram_frame_size very small High
GHSA-qh5x-rfwf-rvfv was published for github.com/apernet/hysteria (Go) Jun 26, 2026
Cherrling Credited to Cherrling
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS High
CVE-2026-39829 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic High
CVE-2026-46597 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic High
CVE-2026-48702 was published for github.com/sigstore/rekor (Go) Jun 25, 2026
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header High
GHSA-rjr7-jggh-pgcp was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
rezmoss Credited to rezmoss
chi Middleware Vulnerable to Potential IP Spoofing via `X-Forwarded-For` Header in `Request.RemoteAddr` Resolution High
GHSA-9g5q-2w5x-hmxf was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
convto Credited to convto
OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination High
CVE-2026-48708 was published for github.com/OliveTin/OliveTin (Go) Jun 24, 2026
knight-yagami Credited to knight-yagami
Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir High
CVE-2026-48126 was published for github.com/xyproto/algernon (Go) Jun 23, 2026
fg0x0 Credited to fg0x0
Gogs: LFS dedupe path leaks private repo content across tenants High
CVE-2026-52812 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion High
CVE-2026-52810 was published for gogs.io/gogs (Go) Jun 23, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
Gogs's write-level collaborators can mutate admin-only repository settings via API High
CVE-2026-52808 was published for gogs.io/gogs (Go) Jun 23, 2026
bugbunny-research Credited to bugbunny-research
Gogs has DOM-based XSS via Milestone Name on New Issue Page High
CVE-2026-52807 was published for gogs.io/gogs (Go) Jun 23, 2026
Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft High
CVE-2026-52805 was published for gogs.io/gogs (Go) Jun 23, 2026
u-ktdi Credited to u-ktdi
Gogs has the ability to import local repositories via Mirror Settings High
CVE-2026-52801 was published for gogs.io/gogs (Go) Jun 23, 2026
KKC73 Credited to KKC73
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover High
CVE-2026-52800 was published for gogs.io/gogs (Go) Jun 23, 2026
odgrso Credited to odgrso
Gogs Missing Authorization in Attachment Download High
CVE-2026-52799 was published for gogs.io/gogs (Go) Jun 22, 2026
odgrso Credited to odgrso
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database