Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,372 advisories

Loading
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Moderate
CVE-2026-27116 was published for code.vikunja.io/api (Go) Feb 25, 2026
sudo0xksh
Credited to sudo0xksh
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow Moderate
CVE-2026-25882 was published for github.com/gofiber/fiber/v2 (Go) Feb 24, 2026
sixcolors TheAspectDev
gaby ReneWerner87
Credited to sixcolors, TheAspectDev, gaby, and ReneWerner87
Caddy is vulnerable to cross-origin config application via local admin API /load Moderate
CVE-2026-27589 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
1seal
Credited to 1seal
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Moderate
CVE-2026-27585 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver (Go) Feb 24, 2026
parrot409
Credited to parrot409
nats-server websockets are vulnerable to pre-auth memory DoS Moderate
CVE-2026-27571 was published for github.com/nats-io/nats-server (Go) Feb 24, 2026
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints Moderate
CVE-2026-27111 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha krancour
Credited to b0b0haha and krancour
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams Moderate
CVE-2026-25122 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal egibs
antitree jdolitsky
Credited to 1seal, egibs, antitree, and jdolitsky
uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries Moderate
CVE-2026-26994 was published for github.com/refraction-networking/utls (Go) Apr 23, 2025
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled Moderate
CVE-2026-26963 was published for github.com/cilium/cilium (Go) Feb 19, 2026
julianwiedmann smagnani96
Credited to julianwiedmann and smagnani96
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake Moderate
CVE-2026-26315 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
fengjian
Credited to fengjian
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Centrifugo v6.6.0 dependency vulnerabilities Moderate
GHSA-j9wf-6r2x-hqmx was published for github.com/centrifugal/centrifugo/v6 (Go) Feb 19, 2026
samir-is-here
Credited to samir-is-here
Go Ethereum affected by DoS via malicious p2p message Moderate
CVE-2026-26313 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
revofusion
Credited to revofusion
Kata Container to Guest micro VM privilege escalation Moderate
CVE-2026-24834 was published for github.com/kata-containers/kata-containers/src/runtime (Go) Feb 19, 2026
kostya-oai sprt
fidencio stevenhorsman
Credited to kostya-oai, sprt, fidencio, and stevenhorsman
Echo has a Windows path traversal via backslash in middleware.Static default filesystem Moderate
CVE-2026-25766 was published for github.com/labstack/echo/v5 (Go) Feb 17, 2026
shblue21 aldas
vishr
Credited to shblue21, aldas, and vishr
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters
Credited to tenbbughunters
Mattermost fails to properly validate team membership when processing channel mentions Moderate
CVE-2025-14350 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to sanitize sensitive data in WebSocket messages Moderate
CVE-2025-13821 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to properly validate login method restrictions Moderate
CVE-2026-0999 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint Moderate
CVE-2026-0998 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels Moderate
CVE-2026-0997 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Moderate
CVE-2026-22892 was published for github.com/mattermost/mattermost-server (Go) Feb 13, 2026
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key Moderate
CVE-2026-26014 was published for github.com/pion/dtls (Go) Feb 11, 2026
theodorsm JoTurk
Credited to theodorsm and JoTurk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database