Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,630 advisories

Loading
Contras Affected by CopyFile Policy Subversion via Symlinks High
GHSA-rh99-wc69-c255 was published for github.com/edgelesssys/contrast (Go) Apr 30, 2026
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets) High
CVE-2026-42461 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 30, 2026
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation Critical
CVE-2026-42560 was published for github.com/go-pkgz/auth (Go) Apr 30, 2026
Nadav0077 Credited to Nadav0077
ydb-go-sdk's transactions are not committed using the `options.WithCommit()` option on last call `table.Transaction.Execute` in transaction Low
GHSA-28xx-pppm-vqff was published for github.com/ydb-platform/ydb-go-sdk/v3 (Go) Apr 30, 2026
kprokopenko Credited to kprokopenko and asmyasnikov asmyasnikov asmyasnikov
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) Critical
CVE-2026-40281 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL High
CVE-2026-39383 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
S-Senhaji Credited to S-Senhaji
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection Critical
CVE-2026-40280 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
netfoil's optional seccomp sandboxing was not applied Moderate
GHSA-vjgj-42f6-7997 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Netfoil has incorrect allowlist enforcement Moderate
GHSA-84g5-x8j3-7235 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services High
GHSA-wr32-99hh-6f35 was published for github.com/0xJacky/Nginx-UI (Go) Apr 29, 2026
miffyaa Credited to miffyaa
GoBGP has Remote Denial of Service (Panic) in UpdatePathAttrs4ByteAs via Malformed BGP UPDATE High
CVE-2026-41643 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
GoBGP has Remote Denial of Service (Panic) via Malformed Well-known Path Attribute High
CVE-2026-41642 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports High
CVE-2026-35579 was published for github.com/coredns/coredns (Go) Apr 28, 2026
wnoelll Credited to wnoelll
CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC High
CVE-2026-33190 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) High
CVE-2026-33489 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification High
CVE-2026-32936 was published for github.com/coredns/coredns (Go) Apr 28, 2026
thesmartshadow Credited to thesmartshadow
CoreDNS' DoQ worker pool does not bound stream backlog High
CVE-2026-32934 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books Moderate
CVE-2026-41572 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Note Mark: OIDC-registered users authenticated by submitting password "null" Critical
CVE-2026-41571 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Cillium exposes sensitive information included in the cilium-bugtool debug archive High
CVE-2026-41520 was published for github.com/cilium/cilium (Go) Apr 25, 2026
tklauser Credited to tklauser and kodareef5 kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
GHSA-74m3-9qvm-rp9h was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
Heimdall has an authorization bypass via path normalization mismatch High
GHSA-3q34-rx83-r6mq was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass High
GHSA-72h4-mxfc-jx37 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
GHSA-43jv-5j4x-qv67 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database