Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

33 advisories

Loading
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution High
CVE-2026-34585 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
ngocnn97 Credited to ngocnn97
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client Critical
CVE-2026-34448 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
Contrast BadAML injection allows arbitrary code execution High
GHSA-g9ww-x58f-9g6m was published for github.com/edgelesssys/contrast (Go) Mar 26, 2026
katexochen Credited to katexochen and sespiros sespiros sespiros
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC High
CVE-2026-26056 was published for github.com/yokecd/yoke (Go) Feb 12, 2026
b0b0haha Credited to b0b0haha and lixingquzhi lixingquzhi lixingquzhi
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
moyushui Credited to moyushui and b0b0haha b0b0haha b0b0haha
Envoy Extension Policy lua scripts injection causes arbitrary command execution High
CVE-2026-22771 was published for github.com/envoyproxy/gateway (Go) Jan 13, 2026
rikatz Credited to rikatz, rudrakhp, guydc, and arkodg rudrakhp rudrakhp
guydc guydc arkodg arkodg
Visual Studio Code Go extension has unexpected untrusted code execution Moderate
CVE-2025-68120 was published for github.com/golang/vscode-go (Go) Dec 30, 2025
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript Moderate
CVE-2025-65026 was published for github.com/esm-dev/esm.sh (Go) Nov 19, 2025
pyozzi-toss Credited to pyozzi-toss
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning Critical
CVE-2025-59823 was published for github.com/gardener/gardener-extension-provider-aws (Go) Sep 25, 2025
petersutter Credited to petersutter, kon-angelo, hebelsan, JordanJordanov, and donistz kon-angelo kon-angelo
hebelsan hebelsan JordanJordanov JordanJordanov donistz donistz
Privileged OpenBao Operator May Execute Code on the Underlying Host Critical
CVE-2025-54997 was published for github.com/openbao/openbao (Go) Aug 8, 2025
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration Critical
CVE-2025-6000 was published for github.com/hashicorp/vault (Go) Aug 1, 2025
Helm vulnerable to Code Injection through malicious chart.yaml content High
CVE-2025-53547 was published for helm.sh/helm/v3 (Go) Jul 8, 2025
jake-ciolek Credited to jake-ciolek
Cosmos EVM Allows Partial Precompile State Writes High
GHSA-mjfq-3qr2-6g84 was published for github.com/cosmos/evm (Go) May 14, 2025
OPA server Data API HTTP path injection of Rego High
CVE-2025-46569 was published for github.com/open-policy-agent/opa (Go) May 1, 2025
GamrayW Credited to GamrayW, HyouKash, and AdrienIT HyouKash HyouKash
AdrienIT AdrienIT
Duplicate Advisory: Plenti - Code Injection - Denial of Services Moderate
GHSA-323w-6p85-26fr was published for github.com/plentico/plenti (Go) Mar 12, 2025 withdrawn
Plenti - Code Injection - Denial of Services Moderate
CVE-2025-26260 was published for github.com/plentico/plenti (Go) Feb 5, 2025
ahmetak4n Credited to ahmetak4n
Gogs allows argument injection during the previewing of changes Critical
CVE-2024-39932 was published for gogs.io/gogs (Go) Dec 23, 2024
swapgs Credited to swapgs
Grafana Command Injection And Local File Inclusion Via Sql Expressions Critical
CVE-2024-9264 was published for github.com/grafana/grafana (Go) Oct 18, 2024
Malayke Credited to Malayke
req may send an unintended request when a malformed URL is provided Moderate
CVE-2024-45258 was published for github.com/imroc/req (Go) Aug 26, 2024
Duplicate Advisory: Gogs allows argument injection during the previewing of changes Critical
GHSA-hf29-9hfh-w63j was published for github.com/gogs/gogs (Go) Jul 4, 2024 withdrawn
kubevirt allows a local attacker to execute arbitrary code via a crafted command Moderate
CVE-2024-33394 was published for kubevirt.io/kubevirt (Go) May 2, 2024
Heketi Arbitrary Code Execution High
CVE-2017-15103 was published for github.com/heketi/heketi (Go) Apr 24, 2024
free5GC AMF denial of service vulnerability High
CVE-2023-49391 was published for github.com/free5gc/amf (Go) Dec 22, 2023
Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation High
CVE-2023-5044 was published for k8s.io/ingress-nginx (Go) Oct 25, 2023
joshbressers Credited to joshbressers
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database