GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
37 advisories
Filter by severity
oras-go has file store write outside workingDir via symlink traversal
Moderate
CVE-2026-50162
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
sigstore-js has Insufficient Verification of Data Authenticity
Moderate
CVE-2026-48816
was published
for
@sigstore/verify
(npm)
Jul 1, 2026
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty
Moderate
CVE-2026-46539
was published
for
nimiq-primitives
(Rust)
May 21, 2026
in-toto-golang and in-toto-python have inconsistent negation behavior
Moderate
GHSA-pmwq-pjrm-6p5r
was published
for
github.com/in-toto/in-toto-golang
(Go)
May 8, 2026
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
Moderate
CVE-2026-42576
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Moderate
CVE-2026-29050
was published
for
chainguard.dev/melange
(Go)
Apr 23, 2026
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
Moderate
CVE-2026-40182
was published
for
OpenTelemetry.Exporter.OpenTelemetryProtocol
(NuGet)
Apr 23, 2026
nimiq-blockchain: Peer-triggerable panic during history sync
Moderate
CVE-2026-34066
was published
for
nimiq-blockchain
(Rust)
Apr 22, 2026
nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
Moderate
CVE-2026-34068
was published
for
nimiq-transaction
(Rust)
Apr 22, 2026
nimiq-account: Vesting insufficient funds error can panic
Moderate
CVE-2026-34064
was published
for
nimiq-account
(Rust)
Apr 22, 2026
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
Moderate
CVE-2026-25542
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
Istio: SSRF via RequestAuthentication jwksUri
Moderate
CVE-2026-41413
was published
for
istio.io/istio
(Go)
Apr 16, 2026
nimiq-consensus panics via RequestMacroChain micro-block locator
Moderate
CVE-2026-34069
was published
for
nimiq-consensus
(Rust)
Apr 13, 2026
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Moderate
CVE-2026-35206
was published
for
helm.sh/helm/v3
(Go)
Apr 10, 2026
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
Moderate
CVE-2026-39882
was published
for
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
(Go)
Apr 8, 2026
webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
Moderate
GHSA-pwjx-qhcg-rvj4
was published
for
rustls-webpki
(Rust)
Mar 20, 2026
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Moderate
CVE-2026-33022
was published
for
github.com/tektoncd/pipeline
(Go)
Mar 17, 2026
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Moderate
CVE-2026-29777
was published
for
github.com/traefik/traefik
(Go)
Mar 11, 2026
OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
Moderate
CVE-2026-28457
was published
for
openclaw
(npm)
Mar 2, 2026
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI
Moderate
CVE-2026-29049
was published
for
chainguard.dev/melange
(Go)
Mar 2, 2026
malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability
Moderate
GHSA-54p8-x2m9-c593
was published
for
github.com/chainguard-dev/malcontent
(Go)
Mar 2, 2026
malcontent: Nested archive extraction failure can drop content from scan inputs
Moderate
CVE-2026-28407
was published
for
github.com/chainguard-dev/malcontent
(Go)
Feb 28, 2026
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations
Moderate
CVE-2026-22728
was published
for
github.com/bitnami-labs/sealed-secrets
(Go)
Feb 26, 2026
Caddy is vulnerable to cross-origin config application via local admin API /load
Moderate
CVE-2026-27589
was published
for
github.com/caddyserver/caddy/v2
(Go)
Feb 24, 2026
Trivy Action has a script injection via sourced env file in composite action
Moderate
CVE-2026-26189
was published
for
aquasecurity/trivy-action
(GitHub Actions)
Feb 18, 2026
ProTip!
Advisories are also available from the
GraphQL API