Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,662 advisories

Loading
gittuf's policy can be rolled back to prior valid versions Moderate
CVE-2026-44544 was published for github.com/gittuf/gittuf (Go) May 7, 2026
andrew Credited to andrew
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header) Moderate
GHSA-mmpx-jh39-wrv6 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
MuxiLyuLucy Credited to MuxiLyuLucy
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check Moderate
CVE-2026-44426 was published for github.com/shellhub-io/shellhub (Go) May 7, 2026
Edu0x01 Credited to Edu0x01
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change Moderate
GHSA-258c-965c-p3hc was published for github.com/daptin/daptin (Go) May 7, 2026
VashuVats Credited to VashuVats
Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users Moderate
CVE-2026-44514 was published for github.com/kubetail-org/kubetail/modules/cli (Go) May 7, 2026
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth Moderate
CVE-2026-42328 was published for github.com/ipld/go-ipld-prime (Go) May 7, 2026
yuliyu123 Credited to yuliyu123
Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest Moderate
CVE-2026-42081 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes Moderate
CVE-2026-42593 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes Moderate
CVE-2026-42592 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ShellHub has crash-DoS via field injection in filter and sort-by parameters Moderate
CVE-2026-44425 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data Moderate
CVE-2026-44423 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace Moderate
CVE-2026-44424 was published for github.com/shellhub-io/shellhub (Go) May 6, 2026
Edu0x01 Credited to Edu0x01
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mhc4-qq83-fmrr was published for github.com/getaxonflow/axonflow-sdk-go/v5 (Go) May 6, 2026
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component Moderate
CVE-2026-44245 was published for github.com/kyverno/policy-reporter-ui (Go) May 6, 2026
r0binak Credited to r0binak
Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds` Moderate
CVE-2026-42572 was published for github.com/hatchet-dev/hatchet (Go) May 6, 2026
sajdakabir Credited to sajdakabir
kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection Moderate
GHSA-v5mh-h5hx-7v92 was published for github.com/cloudnativelabs/kube-router (Go) May 6, 2026
offset Credited to offset
Hugo's Node tool execution allows file system access outside the project directory Moderate
CVE-2026-44301 was published for github.com/gohugoio/hugo (Go) May 6, 2026
jmooring Credited to jmooring, bacu79, and Gokul965 bacu79 bacu79
Gokul965 Gokul965
Nginx-UI Settings API Exposes Protected Secrets Moderate
CVE-2026-42223 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
yotampe-pluto Credited to yotampe-pluto
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display Moderate
GHSA-fw8g-cg8f-9j28 was published for github.com/prometheus/prometheus (Go) May 5, 2026
iiihaiii Credited to iiihaiii and ngocnn97 ngocnn97 ngocnn97
Kubewarden vulnerable to RBAC Reconnaissance via unchecked can_i host capability call Moderate
CVE-2026-42541 was published for github.com/kubewarden/kubewarden-controller (Go) May 5, 2026
thevilledev Credited to thevilledev
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade Moderate
CVE-2026-44166 was published for github.com/pocketbase/pocketbase (Go) May 5, 2026
Alardiians Credited to Alardiians
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback Moderate
CVE-2026-42220 was published for github.com/0xJacky/Nginx-UI (Go) May 5, 2026
lilmingwa13 Credited to lilmingwa13
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint Moderate
CVE-2026-42600 was published for github.com/minio/minio (Go) May 5, 2026
adrian-doyensec Credited to adrian-doyensec and donatello donatello donatello
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database