Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,821 advisories

Loading
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request High
GHSA-mxg3-432p-mr72 was published for goshs.de/goshs/v2 (Go) May 15, 2026
offset Credited to offset
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
slack-go `SecretsVerifier` accepts empty signing secret without precondition Moderate
GHSA-gxhx-2686-5h9g was published for github.com/slack-go/slack (Go) May 14, 2026
SnailSploit Credited to SnailSploit
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin Moderate
CVE-2026-45021 was published for github.com/kumahq/kuma (Go) May 14, 2026
go-billy has path traversal vulnerabilities High
CVE-2026-44973 was published for github.com/go-git/go-billy/v5 (Go) May 14, 2026
faran66 Credited to faran66 and vnykmshr vnykmshr vnykmshr
Portainer missing authorization on custom template file endpoint, which exposes template content Moderate
CVE-2026-44884 was published for github.com/portainer/portainer (Go) May 14, 2026
duddnr0615k Credited to duddnr0615k
Portainer: JWT accepted in URL query leaks tokens to logs and referers High
CVE-2026-44883 was published for github.com/portainer/portainer (Go) May 14, 2026
scanpwn Credited to scanpwn
Portainer has an endpoint security bypass via Swarm service create/update Critical
CVE-2026-44849 was published for github.com/portainer/portainer (Go) May 14, 2026
JohannesLks Credited to JohannesLks and route2shell route2shell route2shell
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization High
CVE-2026-44882 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
Portainer has a bind-mount restriction bypass via HostConfig.Mounts High
CVE-2026-44850 was published for github.com/portainer/portainer (Go) May 14, 2026
offensiveee Credited to offensiveee, alexwaira, jeroengui, AyushParkara, and marduc812 alexwaira alexwaira
jeroengui jeroengui AyushParkara AyushParkara marduc812 marduc812
Portainer has a path traversal in backup archive extraction that allows arbitrary file write Moderate
CVE-2026-44885 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Portainer missing authorization on Docker plugin endpoints, which allows host RCE Critical
CVE-2026-44848 was published for github.com/portainer/portainer (Go) May 14, 2026
ikkebr Credited to ikkebr
Fleet: IP spoofing allows bypassing API rate limiting Moderate
CVE-2026-46356 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet vulnerable to OS command injection in software packages Moderate
CVE-2026-26191 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet server may terminate unexpectedly when handling certain gRPC requests High
CVE-2026-26062 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass High
CVE-2026-24899 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
Fleet has a rate limiting bypass via untrusted client IP headers Moderate
CVE-2026-24000 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet has a Windows MDM management endpoint authentication bypass High
CVE-2026-23998 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs High
CVE-2026-45371 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
fg0x0 Credited to fg0x0
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution High
CVE-2026-45152 was published for gitlab.com/uniget-org/cli (Go) May 13, 2026
0x5t4l1n Credited to 0x5t4l1n
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode Moderate
CVE-2026-45148 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk Moderate
CVE-2026-45147 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
StarPlatinu Credited to StarPlatinu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database