GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
96
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
73 advisories
Filter by severity
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
High
CVE-2026-2092
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 2, 2026
oras-go has file store write outside workingDir via symlink traversal
Moderate
CVE-2026-50162
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Low
CVE-2026-48978
was published
for
oras.land/oras-go
(Go)
Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity
Moderate
CVE-2026-48816
was published
for
@sigstore/verify
(npm)
Jul 1, 2026
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty
Moderate
CVE-2026-46539
was published
for
nimiq-primitives
(Rust)
May 21, 2026
in-toto-golang and in-toto-python have inconsistent negation behavior
Moderate
GHSA-pmwq-pjrm-6p5r
was published
for
github.com/in-toto/in-toto-golang
(Go)
May 8, 2026
awslabs/tough is Missing Delegated Metadata Validation
High
CVE-2026-6967
was published
for
tough
(Rust)
May 5, 2026
awslabs/tough Delegated Roles have a Signature Threshold Bypass
High
CVE-2026-6966
was published
for
tough
(Rust)
May 5, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
High
CVE-2026-42574
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
Moderate
CVE-2026-42576
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
melange has Path Traversal via .PKGINFO in --persist-lint-results
Low
CVE-2026-29051
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Moderate
CVE-2026-29050
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
Moderate
CVE-2026-40182
was published
for
OpenTelemetry.Exporter.OpenTelemetryProtocol
(NuGet)
Apr 23, 2026
nimiq-blockchain: Peer-triggerable panic during history sync
Moderate
CVE-2026-34066
was published
for
nimiq-blockchain
(Rust)
Apr 22, 2026
nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
Moderate
CVE-2026-34068
was published
for
nimiq-transaction
(Rust)
Apr 22, 2026
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch
Low
CVE-2026-34067
was published
for
nimiq-transaction
(Rust)
Apr 22, 2026
nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
High
CVE-2026-34065
was published
for
nimiq-primitives
(Rust)
Apr 22, 2026
nimiq-account: Vesting insufficient funds error can panic
Moderate
CVE-2026-34064
was published
for
nimiq-account
(Rust)
Apr 22, 2026
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
Critical
CVE-2026-33471
was published
for
nimiq-block
(Rust)
Apr 22, 2026
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
Moderate
CVE-2026-25542
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
Istio: SSRF via RequestAuthentication jwksUri
Moderate
CVE-2026-41413
was published
for
istio.io/istio
(Go)
Apr 16, 2026
webpki: Name constraints were accepted for certificates asserting a wildcard name
Low
GHSA-xgp8-3hg3-c2mh
was published
for
rustls-webpki
(Rust)
Apr 16, 2026
webpki: Name constraints for URI names were incorrectly accepted
Low
GHSA-965h-392x-2mh5
was published
for
rustls-webpki
(Rust)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API