Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

294 advisories

Loading
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
androidqf: APK download Path Traversal in device APK paths Low
GHSA-763j-3p5v-jfc6 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers) Low
GHSA-jf2q-463c-6f52 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server Low
GHSA-pxh5-6rrc-8rjv was published for github.com/opentofu/opentofu (Go) May 20, 2026
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection Low
CVE-2026-45803 was published for github.com/cli/cli (Go) May 19, 2026
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
omec-project amf crashes when processing malformed LocationReports Low
CVE-2026-8349 was published for github.com/omec-project/amf (Go) May 12, 2026
MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience Low
CVE-2026-44428 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
FORIMOC Credited to FORIMOC and rdimitrov rdimitrov rdimitrov
bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go Low
CVE-2026-8276 was published for github.com/bettercap/bettercap/v2 (Go) May 11, 2026
bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function Low
CVE-2026-8275 was published for github.com/bettercap/bettercap/v2 (Go) May 11, 2026
SpiceDB WriteRelationships fails silently if payload is too big Low
CVE-2025-64529 was published for github.com/authzed/spicedb (Go) Nov 13, 2025
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results Low
CVE-2025-65111 was published for github.com/authzed/spicedb (Go) Nov 21, 2025
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests Low
CVE-2026-44283 was published for go.etcd.io/etcd (Go) May 7, 2026
SamyGhannad Credited to SamyGhannad
OpenBao's Namespace Deletion May Not Delete Data Properly Low
CVE-2026-42186 was published for github.com/openbao/openbao (Go) May 5, 2026
cipherboy Credited to cipherboy
Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) Low
CVE-2026-42183 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Wernerina Credited to Wernerina, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
CVE-2026-41889 was published for github.com/jackc/pgx (Go) Apr 22, 2026
Ella Core has handover failures during concurrent Security Mode Command Low
CVE-2026-44474 was published for github.com/ellanetworks/core (Go) May 11, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots Low
CVE-2026-40243 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
nhost has Session Persistence After Password Change Low
GHSA-7hgr-xvrr-xpw3 was published for github.com/nhost/nhost (Go) May 8, 2026
skoveit Credited to skoveit
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover Low
CVE-2026-42082 was published for github.com/free5gc/amf (Go) May 7, 2026
SJNA0414 Credited to SJNA0414, ICSR-KMU, and bradypus404 ICSR-KMU ICSR-KMU
bradypus404 bradypus404
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency Low
GHSA-2ccx-cjjh-r2j8 was published for github.com/bluenviron/mediamtx (Go) May 6, 2026
Ollama is Vulnerable to Path Traversal Low
CVE-2026-7020 was published for github.com/ollama/ollama (Go) Apr 26, 2026
melange has Path Traversal via .PKGINFO in --persist-lint-results Low
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal, antitree, and egibs antitree antitree
egibs egibs
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database