Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,307 advisories

Loading
Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF High
GHSA-qr4g-8hrp-c4rw was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
scumfrog Credited to scumfrog
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions High
CVE-2026-40246 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication High
CVE-2026-40245 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads High
GHSA-9c4q-hq6p-c237 was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation High
CVE-2026-40481 was published for github.com/monetr/monetr (Go) Apr 14, 2026
Jvr2022 Credited to Jvr2022, th3fallen, and elliotcourant th3fallen th3fallen
elliotcourant elliotcourant
Note Mark has Stored XSS via Unrestricted Asset Upload High
CVE-2026-40262 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
Maddy Mail Server has an LDAP Filter Injection via Unsanitized Username High
CVE-2026-40193 was published for github.com/foxcpp/maddy (Go) Apr 13, 2026
RealHurrison Credited to RealHurrison and Ghost1032 Ghost1032 Ghost1032
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine High
CVE-2026-34984 was published for github.com/external-secrets/external-secrets (Go) Apr 13, 2026
kodareef5 Credited to kodareef5
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server High
CVE-2026-34476 was published for github.com/apache/skywalking-mcp (Go) Apr 13, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
goshs is Missing Write Protection for Parametric Data Values High
CVE-2026-40188 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
marduc812 Credited to marduc812
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` High
CVE-2026-40318 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
Vikunja vulnerable to Privilege Escalation via Project Reparenting High
CVE-2026-35595 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install High
CVE-2026-35205 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory High
CVE-2026-35204 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path High
CVE-2026-34727 was published for code.vikunja.io/api (Go) Apr 10, 2026
MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing High
CVE-2026-39414 was published for github.com/minio/minio (Go) Apr 9, 2026
klauspost Credited to klauspost, marktheunissen, donatello, XlabAITeam, and harshavardhana marktheunissen marktheunissen
donatello donatello XlabAITeam XlabAITeam harshavardhana harshavardhana
HashiCorp's go-getter library may allow arbitrary file reads High
CVE-2026-4660 was published for github.com/hashicorp/go-getter (Go) Apr 9, 2026
mercure has Topic Selector Cache Key Collision High
CVE-2026-39972 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database