Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

17 advisories

Loading
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container Moderate
CVE-2026-50565 was published for github.com/fission/fission (Go) Jun 30, 2026
tonghuaroot Credited to tonghuaroot and sanketsudake sanketsudake sanketsudake
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-48504 was published for opentelemetry_sdk (Rust) Jun 25, 2026
tonghuaroot Credited to tonghuaroot and lalitb lalitb lalitb
tonghuaroot Credited to tonghuaroot
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag Critical
GHSA-wfqx-gjrf-g28r was published for github.com/crossplane/crossplane (Go) Jun 19, 2026
bugbunny-research Credited to bugbunny-research and tonghuaroot tonghuaroot tonghuaroot
tonghuaroot Credited to tonghuaroot and UlisesGascon UlisesGascon UlisesGascon
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-54285 was published for @opentelemetry/core (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot, pichlermarc, trentm, and arminru pichlermarc pichlermarc
trentm trentm arminru arminru
aiohttp: CRLF injection in multipart headers Low
CVE-2026-50269 was published for aiohttp (pip) Jun 15, 2026
tonghuaroot Credited to tonghuaroot and Dreamsorcerer Dreamsorcerer Dreamsorcerer
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
tonghuaroot Credited to tonghuaroot
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Moderate
CVE-2026-47753 was published for github.com/lxc/incus/v7 (Go) Jun 10, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
ProTip! Advisories are also available from the GraphQL API