Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,599 advisories

Loading
gitverify has improper tag signature verification Moderate
GHSA-h829-5cg7-6hff was published for github.com/supply-chain-tools/gitverify (Go) Apr 24, 2026
Kyverno Controller Denial of Service via forEach Mutation Panic High
CVE-2026-41485 was published for github.com/kyverno/kyverno (Go) Apr 24, 2026
thevilledev Credited to thevilledev
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate
CVE-2026-41174 was published for github.com/traefik/traefik (Go) Apr 24, 2026
tamemghq Credited to tamemghq
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing High
CVE-2026-39858 was published for github.com/traefik/traefik (Go) Apr 24, 2026
fancymalware Credited to fancymalware
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
go-zserio has Unbounded Memory Allocation for All Platforms Critical
GHSA-xhj4-g6w8-2xjw was published for github.com/woven-planet/go-zserio (Go) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Critical
CVE-2026-41328 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field Critical
CVE-2026-41327 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Contour has Lua code injection via Cookie Path Rewrite Policy High
CVE-2026-41246 was published for github.com/projectcontour/contour (Go) Apr 24, 2026
b0b0haha Credited to b0b0haha and kodareef5 kodareef5 kodareef5
melange has Path Traversal via .PKGINFO in --persist-lint-results Moderate
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses Moderate
CVE-2026-29050 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows Controller High
CVE-2026-40886 was published for github.com/argoproj/argo-workflows/v3 (Go) Apr 23, 2026
thevilledev Credited to thevilledev
go-ntlmssp NTLM challenges can panic on malformed payloads Moderate
CVE-2026-32952 was published for github.com/Azure/go-ntlmssp (Go) Apr 23, 2026
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
GHSA-2hp7-65r3-wv54 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869) High
GHSA-hjh7-r5w8-5872 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 22, 2026
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
GHSA-j88v-2chj-qfwx was published for github.com/jackc/pgx (Go) Apr 22, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database