Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

42 advisories

Loading
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface Moderate
CVE-2026-34227 was published for github.com/bishopfox/sliver (Go) Mar 31, 2026
skoveit Credited to skoveit
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover Critical
CVE-2026-33032 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
yotampe-pluto Credited to yotampe-pluto
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass High
CVE-2026-33203 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
mith36 Credited to mith36
Linkdave Missing Authentication on REST and WebSocket endpoints Critical
GHSA-xv8g-fj9h-6gmv was published for github.com/shi-gg/linkdave (Go) Mar 10, 2026
shi-gg Credited to shi-gg
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure Critical
CVE-2026-27944 was published for github.com/0xJacky/Nginx-UI (Go) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint Moderate
CVE-2026-24004 was published for github.com/fleetdm/fleet/v4 (Go) Feb 26, 2026
prateek-0490 Credited to prateek-0490
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4 Credited to ByamB4
Unauthenticated Admission Webhook Endpoints in Yoke ATC High
CVE-2026-26055 was published for github.com/yokecd/yoke (Go) Feb 12, 2026
b0b0haha Credited to b0b0haha and lixingquzhi lixingquzhi lixingquzhi
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise Critical
CVE-2026-26190 was published for github.com/milvus-io/milvus (Go) Feb 11, 2026
0x1f Credited to 0x1f
Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service High
CVE-2026-25791 was published for github.com/bishopfox/sliver (Go) Feb 6, 2026
xtle0o0 Credited to xtle0o0
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha Credited to b0b0haha and gaius-qi gaius-qi gaius-qi
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Ollama Platform has missing authentication enabling attackers to perform model management operations Critical
CVE-2025-63389 was published for github.com/ollama/ollama (Go) Dec 18, 2025
Step CA Has Authorization Bypass in ACME and SCEP Provisioners Critical
CVE-2025-44005 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Mattermost fails to validate user permissions in Boards Low
CVE-2025-13870 was published for github.com/mattermost/mattermost (Go) Dec 2, 2025
Mattermost does not enforce MFA on WebSocket connections Moderate
CVE-2025-55070 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Moderate
CVE-2025-55073 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi Credited to gaius-qi
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function High
CVE-2025-59358 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Mattermost Does Not Sanitize the Team Invite ID Moderate
CVE-2025-47870 was published for github.com/mattermost/mattermost-server (Go) Aug 21, 2025
Mattermost Confluence Plugin is Missing Authentication for Critical Function Moderate
CVE-2025-54478 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Aug 11, 2025
Mattermost Confluence Plugin is Missing Authentication for Critical Function High
CVE-2025-44004 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Aug 11, 2025
Mattermost Missing Authentication for Critical Function Moderate
CVE-2025-6226 was published for github.com/mattermost/mattermost-server (Go) Jul 18, 2025
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication Moderate
CVE-2025-52894 was published for github.com/openbao/openbao (Go) Jun 26, 2025
cipherboy Credited to cipherboy
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database