Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

216 advisories

Loading
Ech0 comment model's Email field returned on public /api/comments endpoints Moderate
GHSA-rj4g-rqgh-rx9h was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
Nginx-UI Settings API Exposes Protected Secrets Moderate
CVE-2026-42223 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
yotampe-pluto Credited to yotampe-pluto
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
Cillium exposes sensitive information included in the cilium-bugtool debug archive High
CVE-2026-41520 was published for github.com/cilium/cilium (Go) Apr 25, 2026
tklauser Credited to tklauser and kodareef5 kodareef5 kodareef5
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak) High
GHSA-8wfp-579w-6r25 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
scumfrog Credited to scumfrog
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
CVE-2026-41323 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
komi22 Credited to komi22
Pyroscope Exposes Storage Secret Critical
CVE-2025-41118 was published for github.com/grafana/pyroscope (Go) Apr 15, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access High
CVE-2026-40885 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication High
CVE-2026-40245 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine High
CVE-2026-34984 was published for github.com/external-secrets/external-secrets (Go) Apr 13, 2026
kodareef5 Credited to kodareef5
HashiCorp's go-getter library may allow arbitrary file reads High
CVE-2026-4660 was published for github.com/hashicorp/go-getter (Go) Apr 9, 2026
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
CVE-2026-40293 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
Grafana public dashboards disclose all direct mode datasources Moderate
CVE-2026-27877 was published for github.com/grafana/grafana (Go) Mar 27, 2026
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API Moderate
CVE-2026-33677 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service Critical
CVE-2026-32938 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 17, 2026
TCOTC Credited to TCOTC, YuxinZhaozyx, and 88250 YuxinZhaozyx YuxinZhaozyx
88250 88250
Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values High
CVE-2026-2476 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Mar 16, 2026
ProTip! Advisories are also available from the GraphQL API