GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,808 advisories
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Low
CVE-2026-40077
was published
for
github.com/henrygd/beszel
(Go)
Apr 10, 2026
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
Moderate
CVE-2026-40074
was published
for
@sveltejs/kit
(npm)
Apr 10, 2026
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
High
CVE-2026-40073
was published
for
@sveltejs/kit
(npm)
Apr 10, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
Moderate
CVE-2026-40103
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has File Size Limit Bypass via Vikunja Import
Moderate
CVE-2026-35602
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Moderate
CVE-2026-35601
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Moderate
CVE-2026-35600
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
Moderate
CVE-2026-35599
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja Missing Authorization on CalDAV Task Read
Moderate
CVE-2026-35598
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
Moderate
CVE-2026-35597
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Moderate
CVE-2026-35596
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja vulnerable to Privilege Escalation via Project Reparenting
High
CVE-2026-35595
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Moderate
CVE-2026-35206
was published
for
helm.sh/helm/v3
(Go)
Apr 10, 2026
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
High
CVE-2026-35205
was published
for
helm.sh/helm/v4
(Go)
Apr 10, 2026
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory
High
CVE-2026-35204
was published
for
helm.sh/helm/v4
(Go)
Apr 10, 2026
Wasmtime has improperly masked return value from `table.grow` with Winch compiler backend
Moderate
CVE-2026-35186
was published
for
wasmtime
(Rust)
Apr 10, 2026
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
Critical
CVE-2026-34987
was published
for
wasmtime
(Rust)
Apr 10, 2026
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Moderate
CVE-2026-35594
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API