Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,372 advisories

Loading
Talos Linux has a local privilege escalation from untrusted workloads High
GHSA-m38g-vww2-mvgx was published for github.com/siderolabs/talos (Go) May 7, 2026
Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information High
CVE-2026-42459 was published for github.com/free5gc/udm (Go) May 7, 2026
Giancannella Credited to Giancannella
Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI High
CVE-2026-42083 was published for github.com/free5gc/pcf (Go) May 7, 2026
LinZiyuu Credited to LinZiyuu
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Rancher Extensions have arbitrary file access via path traversal High
CVE-2026-25705 was published for github.com/rancher/rancher (Go) May 7, 2026
KoreaSecurity Credited to KoreaSecurity
Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure High
GHSA-fc67-c4hg-q653 was published for github.com/aws/amazon-ecs-agent (Go) May 7, 2026
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine High
CVE-2026-42594 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg has a Server-Side Request Forgery (SSRF) Issue High
CVE-2026-42591 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
kakarotsec Credited to kakarotsec
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist High
CVE-2026-42590 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
JohannesLks Credited to JohannesLks
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
Daptin fuzzy search injects unvalidated column name into raw SQL High
CVE-2026-44349 was published for github.com/daptin/daptin (Go) May 6, 2026
alpakalee Credited to alpakalee
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS High
CVE-2025-71261 was published for github.com/harvester/harvester (Go) May 6, 2026
Mezo: ERC-20 bridgeOut burn can be erased by a stale StateDB overwrite leading to full L1 bridge drain High
GHSA-6447-269v-g68m was published for github.com/mezo-org/mezod (Go) May 6, 2026
DeltaXV Credited to DeltaXV
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0 High
CVE-2026-42339 was published for github.com/QuantumNous/new-api (Go) May 6, 2026
MeeseeksX Credited to MeeseeksX
DevSpace UI Server WebSocket CheckOrigin does not validate source High
CVE-2026-42283 was published for github.com/loft-sh/devspace (Go) May 6, 2026
b0b0haha Credited to b0b0haha
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover High
CVE-2026-42222 was published for github.com/0xJacky/nginx-ui (Go) May 6, 2026
Kakeru-Ishii Credited to Kakeru-Ishii
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim High
CVE-2026-42221 was published for github.com/0xJacky/Nginx-UI (Go) May 6, 2026
R1ZZG0D Credited to R1ZZG0D
authd: Primary group ID is incorrectly set to value of UID High
CVE-2026-6970 was published for github.com/canonical/authd (Go) May 5, 2026
nooreldeenmansour Credited to nooreldeenmansour, samikhan-de, and korhlibri samikhan-de samikhan-de
korhlibri korhlibri
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled High
GHSA-9fw6-xgg2-mq9q was published for github.com/apernet/hysteria/core/v2 (Go) May 5, 2026
Cherrling Credited to Cherrling
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference) High
CVE-2026-42285 was published for github.com/osrg/gobgp/v4 (Go) May 5, 2026
bacon251 Credited to bacon251
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1
Prometheus Azure AD remote write OAuth client secret exposed via config API High
CVE-2026-42151 was published for github.com/prometheus/prometheus (Go) May 5, 2026
brettgervasoni Credited to brettgervasoni
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
Argo vulnerable to exposure of artifact repository credentials High
CVE-2026-42295 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Masamuneee Credited to Masamuneee, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database