Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,194 advisories

Loading
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality Moderate
CVE-2026-49835 was published for github.com/sigstore/timestamp-authority (Go) Jun 30, 2026
bugbunny-research Credited to bugbunny-research
Probo has an open redirect bypass via path normalization Moderate
CVE-2026-49820 was published for go.probo.inc/probo (Go) Jun 30, 2026
Fushuling Credited to Fushuling
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation Critical
CVE-2026-50566 was published for github.com/fission/fission (Go) Jun 30, 2026
HiyokoSauna37 Credited to HiyokoSauna37 and sanketsudake sanketsudake sanketsudake
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container Moderate
CVE-2026-50565 was published for github.com/fission/fission (Go) Jun 30, 2026
tonghuaroot Credited to tonghuaroot and sanketsudake sanketsudake sanketsudake
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape Critical
CVE-2026-50564 was published for github.com/fission/fission (Go) Jun 30, 2026
0xVijay Credited to 0xVijay and sanketsudake sanketsudake sanketsudake
Fission Container Executor Function PodSpec Injection Leading to Node Escape Critical
CVE-2026-50563 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover Critical
CVE-2026-50545 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook High
CVE-2026-49824 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook High
CVE-2026-49823 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance High
CVE-2026-49822 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration High
CVE-2026-49821 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Kahi has privilege-drop and socket/log permission issues High
GHSA-55f6-4pr5-c7m5 was published for github.com/kahiteam/kahi (Go) Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query High
CVE-2026-44840 was published for github.com/dgraph-io/dgraph/v25 (Go) Jun 29, 2026
SnailSploit Credited to SnailSploit
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) High
CVE-2026-49338 was published for go.senan.xyz/gonic (Go) Jun 26, 2026
therawdev Credited to therawdev
therawdev Credited to therawdev
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection Moderate
CVE-2026-53523 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Moderate
CVE-2026-53522 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
alcls01111 Credited to alcls01111
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Moderate
CVE-2026-53521 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
baradika Credited to baradika
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
regclient may leak authentication credentials to external blob stores Moderate
CVE-2026-49349 was published for github.com/regclient/regclient (Go) Jun 26, 2026
GimmyDatBeeR Credited to GimmyDatBeeR and sudo-bmitch sudo-bmitch sudo-bmitch
ProTip! Advisories are also available from the GraphQL API