GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,258
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
216 advisories
Filter by severity
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Low
CVE-2026-49254
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 2, 2026
Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect
Moderate
CVE-2026-50192
was published
for
github.com/kerberos-io/agent/machinery
(Go)
Jul 2, 2026
ORAS Go forwards registry credentials across registry redirects
Moderate
GHSA-vh4v-2xq2-g5cg
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec
High
GHSA-7m8x-qg2j-4m3v
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Moderate
GHSA-ww5p-j6cj-6mqq
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API
Moderate
CVE-2026-52815
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
Moderate
CVE-2026-11769
was published
for
github.com/grafana/grafana-operator
(Go)
Jun 19, 2026
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
High
CVE-2026-55882
was published
for
github.com/tilt-dev/tilt
(Go)
Jun 19, 2026
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
Moderate
CVE-2026-46371
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint
Moderate
CVE-2026-46370
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 12, 2026
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
High
CVE-2026-48050
was published
for
github.com/basekick-labs/arc
(Go)
Jun 11, 2026
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth
High
CVE-2026-47701
was published
for
github.com/open-telemetry/opentelemetry-operator
(Go)
Jun 10, 2026
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Moderate
CVE-2026-49397
was published
for
github.com/nezhahq/nezha
(Go)
Jun 10, 2026
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
High
CVE-2026-47735
was published
for
github.com/basekick-labs/arc
(Go)
Jun 8, 2026
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService
High
CVE-2026-45726
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions
Moderate
CVE-2026-3636
was published
for
github.com/mattermost/mattermost-server
(Go)
May 26, 2026
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Moderate
CVE-2026-47124
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
FileBrowser Quantum: unauthenticated user share share info
High
CVE-2026-46410
was published
for
github.com/gtsteffaniak/filebrowser
(Go)
May 19, 2026
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation
Moderate
GHSA-m23h-6mwm-39m8
was published
for
github.com/kong/kubernetes-ingress-controller
(Go)
May 19, 2026
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
Moderate
CVE-2026-45737
was published
for
github.com/argoproj/argo-cd/v3
(Go)
May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure
Low
CVE-2026-45683
was published
for
go.opentelemetry.io/obi
(Go)
May 18, 2026
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
High
CVE-2026-6347
was published
for
github.com/mattermost/mattermost-plugin-calls
(Go)
May 18, 2026
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
High
CVE-2026-6346
was published
for
github.com/mattermost/mattermost-server
(Go)
May 18, 2026
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update
High
CVE-2026-44881
was published
for
github.com/portainer/portainer
(Go)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API