Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,479 advisories

Loading
Daptin has Unauthenticated Path Traversal and Zip Slip Critical
GHSA-9cp7-j3f8-p5jx was published for github.com/daptin/daptin (Go) Apr 10, 2026
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence Moderate
CVE-2026-5774 was published for github.com/juju/juju (Go) Apr 10, 2026
fg0x0 Credited to fg0x0 and wallyworld wallyworld wallyworld
Juju: CloudSpec method leaking cloud credentials Critical
CVE-2026-5412 was published for github.com/juju/juju (Go) Apr 10, 2026
alesstimec Credited to alesstimec, wallyworld, and hpidcock wallyworld wallyworld
hpidcock hpidcock
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
Step CA affected by an index out of bounds panic in TPM attestation EKU validation Low
CVE-2026-40097 was published for github.com/smallstep/certificates (Go) Apr 10, 2026
1seal Credited to 1seal
goshs has a file-based ACL authorization bypass in goshs state-changing routes Critical
CVE-2026-40189 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
goshs is Missing Write Protection for Parametric Data Values High
CVE-2026-40188 was published for github.com/patrickhener/goshs (Go) Apr 10, 2026
marduc812 Credited to marduc812
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload Moderate
GHSA-69hx-63pv-f8f4 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation Moderate
GHSA-r2x7-427f-rq69 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure Moderate
GHSA-w8jj-cwmc-wgq2 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass Moderate
GHSA-fwg7-53p4-g33c was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session Moderate
GHSA-hm2h-wwwh-g49x was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs Moderate
GHSA-cp79-9mwr-wr49 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView` High
GHSA-vw86-c94w-v3x4 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Importing a crafted backup leads to project restriction bypass Critical
CVE-2026-34178 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Critical
CVE-2026-34179 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource Moderate
CVE-2026-39961 was published for github.com/aiven/aiven-operator (Go) Apr 10, 2026
AndresAIFR Credited to AndresAIFR
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds Moderate
CVE-2026-40103 was published for code.vikunja.io/api (Go) Apr 10, 2026
alecclyde Credited to alecclyde
Vikunja has File Size Limit Bypass via Vikunja Import Moderate
CVE-2026-35602 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database