Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

10 advisories

Loading
Traefik: TCP readTimeout bypass via STARTTLS on Postgres High
CVE-2026-25949 was published for github.com/traefik/traefik/v3 (Go) Feb 12, 2026
manizada Credited to manizada
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
Docker: `PUT /containers/{id}/archive` executes container binary on the host High
CVE-2026-41567 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland, manizada, VladimirEliTokarev, 1seal, and bottarocarlo manizada manizada
VladimirEliTokarev VladimirEliTokarev 1seal 1seal bottarocarlo bottarocarlo
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) High
CVE-2026-33489 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC High
CVE-2026-33190 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS' DoQ worker pool does not bound stream backlog High
CVE-2026-32934 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
etcd: Authorization bypasses in multiple APIs High
CVE-2026-33413 was published for go.etcd.io/etcd (Go) Mar 20, 2026
manizada Credited to manizada
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass High
CVE-2026-27588 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass High
CVE-2026-27587 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
ProTip! Advisories are also available from the GraphQL API