GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
49 advisories
Filter by severity
sigstore-go has a multi-log threshold bypass via single compromised log
Moderate
CVE-2026-49834
was published
for
github.com/sigstore/sigstore-go
(Go)
Jul 9, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Moderate
CVE-2026-55430
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
chi Has an IP Spoofing Vulnerability in `middleware.RealIP`
Moderate
GHSA-3fxj-6jh8-hvhx
was published
for
github.com/go-chi/chi/v5/middleware
(Go)
Jun 25, 2026
Gogs: LFS dedupe path leaks private repo content across tenants
High
CVE-2026-52812
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Critical
GHSA-wfqx-gjrf-g28r
was published
for
github.com/crossplane/crossplane
(Go)
Jun 19, 2026
containerd: CRI checkpoint import allows local image tag poisoning
Moderate
CVE-2026-50195
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
High
CVE-2026-55883
was published
for
github.com/tilt-dev/tilt
(Go)
Jun 19, 2026
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
Moderate
CVE-2026-48096
was published
for
github.com/openfga/openfga
(Go)
Jun 11, 2026
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS
Moderate
GHSA-rc6v-5rmx-w5mv
was published
for
github.com/arnika-project/arnika
(Go)
May 15, 2026
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
High
CVE-2026-45022
was published
for
github.com/go-git/go-git/v5
(Go)
May 11, 2026
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
Critical
CVE-2026-44523
was published
for
github.com/enchant97/note-mark/backend
(Go)
May 7, 2026
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
Moderate
GHSA-mhc4-qq83-fmrr
was published
for
github.com/getaxonflow/axonflow-sdk-go/v5
(Go)
May 6, 2026
nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token
Moderate
CVE-2026-41164
was published
for
github.com/nuts-foundation/nuts-node
(Go)
May 5, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
High
CVE-2026-35051
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
High
CVE-2026-41432
was published
for
github.com/QuantumNous/new-api
(Go)
Apr 24, 2026
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Low
CVE-2026-40109
was published
for
github.com/fluxcd/notification-controller
(Go)
Apr 10, 2026
OpenFGA has an Authorization Bypass through cached keys
Moderate
CVE-2026-33729
was published
for
github.com/openfga/openfga
(Go)
Mar 26, 2026
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Low
CVE-2026-33221
was published
for
github.com/nhost/nhost
(Go)
Mar 18, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
High
CVE-2026-30851
was published
for
github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
(Go)
Mar 6, 2026
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes
High
CVE-2026-30223
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification
Critical
CVE-2026-25921
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
EVE Doesn't Protect Rootfs
Moderate
CVE-2023-43636
was published
for
github.com/lf-edge/eve/pkg/grub
(Go)
Feb 4, 2026
Cosign verification accepts any valid Rekor entry under certain conditions
Moderate
CVE-2026-22703
was published
for
github.com/sigstore/cosign/v2
(Go)
Jan 13, 2026
ProTip!
Advisories are also available from the
GraphQL API