Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,702 advisories

Loading
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
slack-go `SecretsVerifier` accepts empty signing secret without precondition Moderate
GHSA-gxhx-2686-5h9g was published for github.com/slack-go/slack (Go) May 14, 2026
SnailSploit Credited to SnailSploit
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin Moderate
CVE-2026-45021 was published for github.com/kumahq/kuma (Go) May 14, 2026
Portainer missing authorization on custom template file endpoint, which exposes template content Moderate
CVE-2026-44884 was published for github.com/portainer/portainer (Go) May 14, 2026
duddnr0615k Credited to duddnr0615k
Portainer has a path traversal in backup archive extraction that allows arbitrary file write Moderate
CVE-2026-44885 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Fleet: IP spoofing allows bypassing API rate limiting Moderate
CVE-2026-46356 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet vulnerable to OS command injection in software packages Moderate
CVE-2026-26191 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet has a rate limiting bypass via untrusted client IP headers Moderate
CVE-2026-24000 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode Moderate
CVE-2026-45148 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Moderate
CVE-2026-44774 was published for github.com/traefik/traefik (Go) May 13, 2026
tamemghq Credited to tamemghq
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion Moderate
CVE-2026-44740 was published for github.com/go-git/go-billy/v5 (Go) May 13, 2026
faran66 Credited to faran66
Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content Moderate
CVE-2026-45046 was published for github.com/safedep/gryph (Go) May 11, 2026
dodge1218 Credited to dodge1218
Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest Moderate
CVE-2026-44475 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, bradypus404, and ICSR-KMU bradypus404 bradypus404
ICSR-KMU ICSR-KMU
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request) Moderate
CVE-2026-44324 was published for github.com/free5gc/udr (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference) Moderate
CVE-2026-44323 was published for github.com/free5gc/udr (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions Moderate
CVE-2026-44318 was published for github.com/free5gc/bsf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference Moderate
CVE-2026-44317 was published for github.com/free5gc/pcf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits Moderate
CVE-2026-44309 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
in-toto-golang and in-toto-python have inconsistent negation behavior Moderate
GHSA-pmwq-pjrm-6p5r was published for github.com/in-toto/in-toto-golang (Go) May 8, 2026
1seal Credited to 1seal
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers Moderate
CVE-2026-44310 was published for github.com/sigstore/gitsign (Go) May 8, 2026
bugbunny-research Credited to bugbunny-research
ExternalSecrets vulnerable to privilege escalation with secret overwriting Moderate
CVE-2026-42876 was published for github.com/external-secrets/external-secrets/apis (Go) May 8, 2026
factory-nizar Credited to factory-nizar and factory-kirk factory-kirk factory-kirk
MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist Moderate
CVE-2026-44430 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
matte1782 Credited to matte1782 and rdimitrov rdimitrov rdimitrov
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` Moderate
CVE-2026-44429 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
JosephDoUrden Credited to JosephDoUrden and rdimitrov rdimitrov rdimitrov
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database