Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,549 advisories

Loading
Vikunja vulnerable to Privilege Escalation via Project Reparenting High
CVE-2026-35595 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment Moderate
CVE-2026-35206 was published for helm.sh/helm/v3 (Go) Apr 10, 2026
1seal Credited to 1seal
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install High
CVE-2026-35205 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory High
CVE-2026-35204 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Moderate
CVE-2026-35594 was published for code.vikunja.io/api (Go) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path High
CVE-2026-34727 was published for code.vikunja.io/api (Go) Apr 10, 2026
MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing High
CVE-2026-39414 was published for github.com/minio/minio (Go) Apr 9, 2026
klauspost Credited to klauspost, marktheunissen, donatello, XlabAITeam, and harshavardhana marktheunissen marktheunissen
donatello donatello XlabAITeam XlabAITeam harshavardhana harshavardhana
HashiCorp's go-getter library may allow arbitrary file reads High
CVE-2026-4660 was published for github.com/hashicorp/go-getter (Go) Apr 9, 2026
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
CVE-2026-40293 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
mercure has Topic Selector Cache Key Collision High
CVE-2026-39972 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
monetr: Protected Transactions Deletable via PUT Moderate
CVE-2026-39901 was published for github.com/monetr/monetr (Go) Apr 8, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, th3fallen, and elliotcourant Across-Verticals-Malaysia Across-Verticals-Malaysia
th3fallen th3fallen elliotcourant elliotcourant
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies Moderate
CVE-2026-39882 was published for go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp (Go) Apr 8, 2026
1seal Credited to 1seal and pellared pellared pellared
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit High
CVE-2026-27806 was published for github.com/fleetdm/fleet/v4 (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution Moderate
GHSA-h9mw-h4qc-f5jf was published for github.com/platform-mesh/kubernetes-graphql-gateway (Go) Apr 8, 2026
kcp's cache server is accessible without authentication or authorization checks High
CVE-2026-39429 was published for github.com/kcp-dev/kcp (Go) Apr 8, 2026
ntnn Credited to ntnn
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions Critical
CVE-2026-39846 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 8, 2026
ngocnn97 Credited to ngocnn97
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder Moderate
GHSA-xmrv-pmrh-hhx2 was published for github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream (Go) Apr 8, 2026
Cosign's verify-blob-attestation reports false positive when payload parsing fails Moderate
CVE-2026-39395 was published for github.com/sigstore/cosign (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands High
CVE-2026-35607 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check Moderate
CVE-2026-35606 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser share links remain accessible after Share/Download permissions are revoked High
CVE-2026-35604 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching Moderate
CVE-2026-35605 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
File Browser has a Command Injection via Hook Runner High
CVE-2026-35585 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
Saku0512 Credited to Saku0512
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database