Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,387 advisories

Loading
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation Critical
CVE-2026-50566 was published for github.com/fission/fission (Go) Jun 30, 2026
HiyokoSauna37 Credited to HiyokoSauna37 and sanketsudake sanketsudake sanketsudake
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape Critical
CVE-2026-50564 was published for github.com/fission/fission (Go) Jun 30, 2026
0xVijay Credited to 0xVijay and sanketsudake sanketsudake sanketsudake
Fission Container Executor Function PodSpec Injection Leading to Node Escape Critical
CVE-2026-50563 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover Critical
CVE-2026-50545 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an argument injection in backup compression algorithm leading to AFW and ACE Critical
CVE-2026-48755 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has a restricted project bypass leading to arbitrary command execution Critical
CVE-2026-48751 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image Critical
CVE-2026-48750 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image Critical
CVE-2026-48749 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder Critical
CVE-2026-44024 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement Critical
CVE-2026-46595 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @revoked status Critical
CVE-2026-42508 was published for golang.org/x/crypto/ssh/knownhosts (Go) Jun 25, 2026
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes Critical
CVE-2026-39834 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed Critical
CVE-2026-39831 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses Critical
CVE-2026-39830 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys Critical
CVE-2026-39832 was published for golang.org/x/crypto/ssh/agent (Go) Jun 25, 2026
ProTip! Advisories are also available from the GraphQL API