Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,556
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,805
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,556 advisories

Loading
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints Critical
CVE-2026-40173 was published for github.com/dgraph-io/dgraph (Go) Apr 16, 2026
komi22 Credited to komi22
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots Moderate
CVE-2026-39350 was published for istio.io/istio (Go) Apr 16, 2026
Wernerina Credited to Wernerina
SpdyStream: DOS on CRI High
CVE-2026-35469 was published for github.com/moby/spdystream (Go) Apr 16, 2026
KubeVirt's authorization mechanism improperly truncates subresource names Moderate
CVE-2026-6383 was published for kubevirt.io/kubevirt (Go) Apr 15, 2026
Exposure of Storage Secret in Pyroscope Critical
CVE-2025-41118 was published for github.com/grafana/pyroscope (Go) Apr 15, 2026
Grafana Loki Path Traversal - CVE-2021-36156 Bypass Moderate
CVE-2026-21726 was published for github.com/grafana/loki/v3 (Go) Apr 15, 2026
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token High
CVE-2026-6290 was published for www.velocidex.com/golang/velociraptor (Go) Apr 15, 2026
NietThijmen ShoppingCart: Command injection in the connect function High
CVE-2024-53412 was published for github.com/NietThijmen/ShoppingCart (Go) Apr 15, 2026
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control Moderate
GHSA-pq96-pwvg-vrr9 was published for github.com/fatedier/frp (Go) Apr 14, 2026
0wnerDied Credited to 0wnerDied
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
GHSA-7jrq-q4pq-rhm6 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia affected by server crash via race condition in session heartbeat handling High
GHSA-5gqc-qhrj-9xw8 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia has an OIDC token audience validation bypass via SkipClientIDCheck Critical
GHSA-fhvp-9hcj-6m33 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia exposes bearer token in debug log messages on authentication failure High
GHSA-pm7q-rjjx-979p was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
SiYuan has incomplete fix for CVE-2026-33066: XSS Moderate
GHSA-8q5w-mmxf-48jg was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 14, 2026
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint Low
GHSA-7qx6-f23w-3w7f was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
wooseokdotkim Credited to wooseokdotkim
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer High
CVE-2026-40890 was published for github.com/gomarkdown/markdown (Go) Apr 14, 2026
JulesDT Credited to JulesDT
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access High
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
iggypopi Credited to iggypopi and stepanskyigor-orca stepanskyigor-orca stepanskyigor-orca
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
miparnisari Credited to miparnisari
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write High
CVE-2026-40090 was published for github.com/zarf-dev/zarf (Go) Apr 14, 2026
joonas Credited to joonas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database