Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,143
Maven
5,000+
npm
5,000+
NuGet
840
pip
4,439
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

164 advisories

Loading
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
Caddy's vars_regexp double-expands user input, leaking env vars and files Moderate
CVE-2026-30852 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp (Go) Mar 6, 2026
sammiee5311 Credited to sammiee5311
OliveTin doesn't check view permission when returning dashboards Moderate
CVE-2026-30233 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gokapi has Data Leak in Upload Status Stream Moderate
CVE-2026-28682 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory High
CVE-2026-28492 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 2, 2026
uug4na Credited to uug4na and hacdias hacdias hacdias
Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users High
CVE-2026-27465 was published for github.com/fleetdm/fleet/v4 (Go) Feb 26, 2026
prateek-0490 Credited to prateek-0490
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links High
CVE-2026-27611 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Feb 25, 2026
ByteAfterlife Credited to ByteAfterlife
uTLS has a fingerprint vulnerability from missing padding extension for Chrome 120 Low
CVE-2026-26995 was published for github.com/refraction-networking/utls (Go) Feb 18, 2026
Mattermost fails to sanitize sensitive data in WebSocket messages Moderate
CVE-2025-13821 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key Moderate
CVE-2026-26014 was published for github.com/pion/dtls (Go) Feb 11, 2026
theodorsm Credited to theodorsm and JoTurk JoTurk JoTurk
Gophish is vulnerable to Incorrect Access Control Moderate
CVE-2025-70963 was published for github.com/gophish/gophish (Go) Feb 6, 2026
Gitea improperly exposes issue and pull request titles Low
CVE-2026-20800 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
CNA Plugins Portmap nftables backend can intercept non-local traffic Moderate
CVE-2025-67499 was published for github.com/containernetworking/plugins (Go) Dec 9, 2025
agusdallalba Credited to agusdallalba and champtar champtar champtar
Mattermost fails to sanitize team email addresses Moderate
CVE-2025-12559 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
Mattermost allows system administrators to access password hashes and MFA secrets Moderate
CVE-2025-11794 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for kubevirt.io/kubevirt (Go) Nov 7, 2025
mihailkirov Credited to mihailkirov, Faeris95, and jean-edouard Faeris95 Faeris95
jean-edouard jean-edouard
lakeFS affected by unauthenticated access to API usage metrics Moderate
CVE-2025-64179 was published for github.com/treeverse/lakefs (Go) Nov 3, 2025
arielshaqed Credited to arielshaqed and nopcoder nopcoder nopcoder
Omni vulnerable to information leak via API High
CVE-2025-61688 was published for github.com/siderolabs/omni (Go) Oct 13, 2025
utkuozdemir Credited to utkuozdemir
Canonical LXD Project Existence Determination Through Error Handling in Image Export Function Moderate
CVE-2025-54290 was published for github.com/canonical/lxd (Go) Oct 2, 2025
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint Moderate
CVE-2025-54468 was published for github.com/rancher/rancher (Go) Sep 26, 2025
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled High
CVE-2025-54376 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal Credited to Kr1shna4garwal
Atlantis Exposes Service Version Publicly on /status API Endpoint Low
CVE-2025-58445 was published for github.com/runatlantis/atlantis (Go) Sep 5, 2025
matthewmrichter Credited to matthewmrichter
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database