Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,630 advisories

Loading
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
CVE-2026-41889 was published for github.com/jackc/pgx (Go) Apr 22, 2026
Contras Affected by CopyFile Policy Subversion via Symlinks High
GHSA-rh99-wc69-c255 was published for github.com/edgelesssys/contrast (Go) Apr 30, 2026
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets) High
CVE-2026-42461 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 30, 2026
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation Critical
CVE-2026-42560 was published for github.com/go-pkgz/auth (Go) Apr 30, 2026
Nadav0077 Credited to Nadav0077
Inspektor Gadget: Command Injection via malicious buildOptions manipulation Moderate
CVE-2026-24905 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
ndaprela Credited to ndaprela, suidpit, eiffel-fl, and burak-ok suidpit suidpit
eiffel-fl eiffel-fl burak-ok burak-ok
ydb-go-sdk's transactions are not committed using the `options.WithCommit()` option on last call `table.Transaction.Execute` in transaction Low
GHSA-28xx-pppm-vqff was published for github.com/ydb-platform/ydb-go-sdk/v3 (Go) Apr 30, 2026
kprokopenko Credited to kprokopenko and asmyasnikov asmyasnikov asmyasnikov
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) Critical
CVE-2026-40281 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL High
CVE-2026-39383 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
S-Senhaji Credited to S-Senhaji
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection Critical
CVE-2026-40280 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
netfoil's optional seccomp sandboxing was not applied Moderate
GHSA-vjgj-42f6-7997 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Netfoil has incorrect allowlist enforcement Moderate
GHSA-84g5-x8j3-7235 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services High
GHSA-wr32-99hh-6f35 was published for github.com/0xJacky/Nginx-UI (Go) Apr 29, 2026
miffyaa Credited to miffyaa
GoBGP has Remote Denial of Service (Panic) in UpdatePathAttrs4ByteAs via Malformed BGP UPDATE High
CVE-2026-41643 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
GoBGP has Remote Denial of Service (Panic) via Malformed Well-known Path Attribute High
CVE-2026-41642 was published for github.com/osrg/gobgp/v4 (Go) Apr 29, 2026
bacon251 Credited to bacon251
Mattermost MS Teams plugin doesn't limit the request body size on the /lifecycle webhook endpoint Low
CVE-2026-21388 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Apr 9, 2026
Mattermost MS Teams plugin doesn't limit the request body size on the /changes webhook endpoint Moderate
CVE-2026-24661 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Apr 9, 2026
Mattermost doesn't validate CSRF tokens on an authentication endpoint Moderate
CVE-2026-28741 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 17, 2026
Memos has an Incorrect Privilege Assignment issue Low
CVE-2026-6634 was published for github.com/usememos/memos (Go) Apr 20, 2026
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace Low
CVE-2026-27769 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Moderate
CVE-2026-3590 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports High
CVE-2026-35579 was published for github.com/coredns/coredns (Go) Apr 28, 2026
wnoelll Credited to wnoelll
CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC High
CVE-2026-33190 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) High
CVE-2026-33489 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification High
CVE-2026-32936 was published for github.com/coredns/coredns (Go) Apr 28, 2026
thesmartshadow Credited to thesmartshadow
CoreDNS' DoQ worker pool does not bound stream backlog High
CVE-2026-32934 was published for github.com/coredns/coredns (Go) Apr 28, 2026
manizada Credited to manizada
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database