Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

217 advisories

Loading
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
ORAS Go forwards registry credentials across registry redirects Moderate
GHSA-vh4v-2xq2-g5cg was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
mosskappa Credited to mosskappa
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API Moderate
CVE-2026-52815 was published for gogs.io/gogs (Go) Jun 23, 2026
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName Moderate
CVE-2026-11769 was published for github.com/grafana/grafana-operator (Go) Jun 19, 2026
cherez0ff Credited to cherez0ff
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server High
CVE-2026-55882 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks High
CVE-2026-47735 was published for github.com/basekick-labs/arc (Go) Jun 8, 2026
NeuroWinter Credited to NeuroWinter
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService High
CVE-2026-45726 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions Moderate
CVE-2026-3636 was published for github.com/mattermost/mattermost-server (Go) May 26, 2026
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Moderate
CVE-2026-45737 was published for github.com/argoproj/argo-cd/v3 (Go) May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin High
CVE-2026-6347 was published for github.com/mattermost/mattermost-plugin-calls (Go) May 18, 2026
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation High
CVE-2026-6346 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
ProTip! Advisories are also available from the GraphQL API