Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

10 advisories

Loading
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check Moderate
CVE-2026-53624 was published for github.com/gofiber/fiber (Go) Jul 6, 2026
sondt99 Credited to sondt99, dungNHVhust, gaby, and ReneWerner87 dungNHVhust dungNHVhust
gaby gaby ReneWerner87 ReneWerner87
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
Nezha's authenticated agents can forge service-monitor results for other users' services High
CVE-2026-48119 was published for github.com/nezhahq/nezha (Go) Jun 1, 2026
sondt99 Credited to sondt99
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host Moderate
CVE-2026-47268 was published for github.com/naiba/nezha (Go) May 29, 2026
sondt99 Credited to sondt99
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
ProTip! Advisories are also available from the GraphQL API