GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,194 advisories
Filter by severity
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Moderate
CVE-2026-49835
was published
for
github.com/sigstore/timestamp-authority
(Go)
Jun 30, 2026
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
High
CVE-2026-49478
was published
for
github.com/sigstore/fulcio
(Go)
Jun 30, 2026
Probo has an open redirect bypass via path normalization
Moderate
CVE-2026-49820
was published
for
go.probo.inc/probo
(Go)
Jun 30, 2026
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
Critical
CVE-2026-50566
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container
Moderate
CVE-2026-50565
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Critical
CVE-2026-50564
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Container Executor Function PodSpec Injection Leading to Node Escape
Critical
CVE-2026-50563
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
Critical
CVE-2026-50545
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
High
CVE-2026-49822
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
High
CVE-2026-49821
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec
High
GHSA-7m8x-qg2j-4m3v
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Kahi has privilege-drop and socket/log permission issues
High
GHSA-55f6-4pr5-c7m5
was published
for
github.com/kahiteam/kahi
(Go)
Jun 30, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
High
CVE-2026-44840
was published
for
github.com/dgraph-io/dgraph/v25
(Go)
Jun 29, 2026
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Moderate
GHSA-ww5p-j6cj-6mqq
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
High
CVE-2026-49338
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists
High
CVE-2026-49339
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host
High
CVE-2026-49340
was published
for
go.senan.xyz/gonic
(Go)
Jun 26, 2026
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
Moderate
CVE-2026-53523
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Moderate
CVE-2026-53522
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Critical
CVE-2026-53519
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context
Moderate
CVE-2026-53521
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing
Moderate
CVE-2026-53520
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
regclient may leak authentication credentials to external blob stores
Moderate
CVE-2026-49349
was published
for
github.com/regclient/regclient
(Go)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API