GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,387 advisories
Filter by severity
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
Critical
CVE-2026-50566
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Critical
CVE-2026-50564
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Container Executor Function PodSpec Injection Leading to Node Escape
Critical
CVE-2026-50563
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
Critical
CVE-2026-50545
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Critical
CVE-2026-53519
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check
Critical
GHSA-q6xx-5vr8-p898
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass
Critical
CVE-2026-49454
was published
for
relyra
(Erlang)
Jun 26, 2026
deepstream is vulnerable to prototype pollution
Critical
CVE-2026-49252
was published
for
@deepstream/server
(npm)
Jun 26, 2026
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
Critical
GHSA-98x5-vq43-vc5p
was published
for
semantic-router
(pip)
Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Critical
CVE-2026-48797
was published
for
@mcptoolshop/backpropagate
(npm)
Jun 26, 2026
Incus has an arbitrary file write on its client due to trusted image hash
Critical
CVE-2026-48769
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an argument injection in backup compression algorithm leading to AFW and ACE
Critical
CVE-2026-48755
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write via path traversal in S3 multipart upload
Critical
CVE-2026-48753
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has arbitrary file read+write on host via templates/ symlink in malicious image
Critical
CVE-2026-48752
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has a restricted project bypass leading to arbitrary command execution
Critical
CVE-2026-48751
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image
Critical
CVE-2026-48750
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image
Critical
CVE-2026-48749
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Critical
CVE-2026-44024
was published
for
fluentd
(RubyGems)
Jun 26, 2026
golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @revoked status
Critical
CVE-2026-42508
was published
for
golang.org/x/crypto/ssh/knownhosts
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes
Critical
CVE-2026-39834
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed
Critical
CVE-2026-39831
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses
Critical
CVE-2026-39830
was published
for
golang.org/x/crypto/ssh
(Go)
Jun 25, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys
Critical
CVE-2026-39832
was published
for
golang.org/x/crypto/ssh/agent
(Go)
Jun 25, 2026
ProTip!
Advisories are also available from the
GraphQL API