Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,894 advisories

Loading
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE High
CVE-2026-40938 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, kodareef5, and waveywaves vdemeester vdemeester
kodareef5 kodareef5 waveywaves waveywaves
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
containerd user ID handling bypass allows runAsNonRoot evasion High
CVE-2026-46680 was published for github.com/containerd/containerd (Go) May 21, 2026
ssst0n3 Credited to ssst0n3
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL High
CVE-2026-40161 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, stenzopolis1986-art, and waveywaves vdemeester vdemeester
stenzopolis1986-art stenzopolis1986-art waveywaves waveywaves
SpiceDB: Caveat structures with nested lists can result in improper cache reuse Low
CVE-2026-46668 was published for github.com/authzed/spicedb (Go) May 21, 2026
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables Moderate
CVE-2026-46618 was published for github.com/fission/fission (Go) May 21, 2026
b0b0haha Credited to b0b0haha, j311yl0v3u, and sanketsudake j311yl0v3u j311yl0v3u
sanketsudake sanketsudake
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read High
CVE-2026-46617 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC and sanketsudake sanketsudake sanketsudake
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives High
CVE-2026-46612 was published for github.com/fission/fission (Go) May 21, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Crabbox: environment variable exposure vulnerability Critical
CVE-2026-8634 was published for github.com/openclaw/crabbox (Go) May 14, 2026
Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers High
CVE-2026-8621 was published for github.com/openclaw/crabbox (Go) May 14, 2026
androidqf: APK download Path Traversal in device APK paths Low
GHSA-763j-3p5v-jfc6 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers) Low
GHSA-jf2q-463c-6f52 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
Klever-Go KVM read-only execution can commit contract delete and upgrade side effects Moderate
CVE-2026-46403 was published for github.com/klever-io/klever-go (Go) May 21, 2026
hjson stack exhaustion vulnerability High
CVE-2023-34620 was published for github.com/hjson/hjson-go/v4 (Composer) Jun 14, 2023
achibear Credited to achibear
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland, manizada, VladimirEliTokarev, 1seal, and bottarocarlo manizada manizada
VladimirEliTokarev VladimirEliTokarev 1seal 1seal bottarocarlo bottarocarlo
podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints Moderate
CVE-2026-43644 was published for github.com/stefanprodan/podinfo (Go) May 14, 2026
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server Low
GHSA-pxh5-6rrc-8rjv was published for github.com/opentofu/opentofu (Go) May 20, 2026
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * Moderate
CVE-2026-46431 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied, ncw, and augustocesarperin ncw ncw
augustocesarperin augustocesarperin
Caddy Defender trusted proxy client IP bypass High
CVE-2026-46415 was published for pkg.jsn.cam/caddy-defender (Go) May 19, 2026
JasonLovesDoggo Credited to JasonLovesDoggo
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal High
CVE-2026-46378 was published for github.com/tomwright/dasel/v3 (Go) May 19, 2026
kq5y Credited to kq5y
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database