Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

82 advisories

Loading
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization Critical
CVE-2026-34976 was published for github.com/dgraph-io/dgraph (Go) Apr 2, 2026
kodareef5 Credited to kodareef5
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API High
CVE-2026-27946 was published for github.com/zitadel/zitadel (Go) Feb 27, 2026
livio-a Credited to livio-a, IAM-marco, and MhdAsfan IAM-marco IAM-marco
MhdAsfan MhdAsfan
act: actions/cache server allows malicious cache injection High
CVE-2026-34042 was published for github.com/nektos/act (Go) Mar 27, 2026
programmerjake Credited to programmerjake
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
A Fleet team maintainer can transfer hosts from any team via missing source team authorization Moderate
CVE-2026-29180 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
prateek-0490 Credited to prateek-0490
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
etcd: Authorization bypasses in multiple APIs High
CVE-2026-33413 was published for go.etcd.io/etcd (Go) Mar 20, 2026
manizada Credited to manizada
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Mattermost leaks details of AD/LDAP groups of a teams Moderate
CVE-2024-23493 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 29, 2024
Mattermost fails to filter invite IDs based on user permissions Moderate
CVE-2026-2463 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost allows a removed team member to enumerate all public channels within a private team Moderate
CVE-2026-2458 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint Moderate
CVE-2026-24004 was published for github.com/fleetdm/fleet/v4 (Go) Feb 26, 2026
prateek-0490 Credited to prateek-0490
OliveTin doesn't check view permission when returning dashboards Moderate
CVE-2026-30233 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access Moderate
CVE-2026-29073 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 3, 2026
rezmoss Credited to rezmoss
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints Moderate
CVE-2026-3351 was published for github.com/canonical/lxd (Go) Mar 4, 2026
bugbunny-research Credited to bugbunny-research
Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user High
GHSA-hwm2-4ph6-w6m5 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints Moderate
CVE-2026-27111 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and iansltx iansltx iansltx
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Mattermost fails to enforce invite permissions when updating team settings Low
CVE-2025-14573 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to properly validate team membership when processing channel mentions Moderate
CVE-2025-14350 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint Moderate
CVE-2026-0998 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database