Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,880
Maven
5,000+
npm
4,518
NuGet
784
pip
4,260
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

2,880 advisories

Loading
Juju has broken CMR authorization Low
CVE-2026-1237 was published for github.com/juju/juju (Go) Jan 29, 2026
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
GHSA-c4jr-5q7w-f6r9 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech
Credited to thxtech
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal High
GHSA-f72r-2h5j-7639 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 28, 2026
EaEa0001
Credited to EaEa0001
Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access Moderate
CVE-2026-24748 was published for github.com/akuity/kargo (Go) Jan 27, 2026
Kyverno Denial of Service via Context Variable Amplification in Policy Engine High
CVE-2026-23881 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev
Credited to thevilledev
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev
Credited to thevilledev
gmrtd ReadFile Vulnerable to Denial of Service via Excessive TLV Length Values Moderate
CVE-2026-24738 was published for github.com/gmrtd/gmrtd (Go) Jan 27, 2026
ramrunner
Credited to ramrunner
Dozzle Agent Label-Based Access Control Bypass Allows Unauthorized Container Shell Access High
CVE-2026-24740 was published for github.com/amir20/dozzle (Go) Jan 27, 2026
k14uz
Credited to k14uz
go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names Moderate
CVE-2026-24686 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 26, 2026
1seal rdimitrov
kommendorkapten
Credited to 1seal, rdimitrov, and kommendorkapten
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName High
CVE-2026-24470 was published for github.com/zalando/skipper (Go) Jan 26, 2026
b0b0haha moyushui
j311yl0v3u
Credited to b0b0haha, moyushui, and j311yl0v3u
Duplicate Advisory: go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data Moderate
GHSA-86rf-68f4-2cph was published for github.com/go-viper/mapstructure/v2 (Go) Jan 26, 2026 withdrawn
KubeVirt Guest Agent DoS via Excessive Network Interface Reports Moderate
CVE-2025-14525 was published for kubevirt.io/kubevirt (Go) Jan 26, 2026
CometBFT has inconsistencies between how commit signatures are verified and how block time is derived High
GHSA-c32p-wcqj-j677 was published for github.com/cometbft/cometbft (Go) Jan 23, 2026
Gitea does not properly validate ownership when toggling OpenID URI visibility Moderate
CVE-2026-20904 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate repository ownership when linking attachments to releases Moderate
CVE-2026-20912 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate repository ownership when deleting Git LFS locks Moderate
CVE-2026-20897 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea improperly exposes issue and pull request titles Low
CVE-2026-20800 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea may send release notification emails for private repositories to users whose access has been revoked Low
CVE-2026-0798 was published for code.gitea.io/gitea (Go) Jan 23, 2026
Gitea has improper access control for uploaded attachments Low
CVE-2026-20736 was published for code.gitea.io/gitea (Go) Jan 23, 2026
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface Moderate
CVE-2026-20888 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate project ownership in organization project operations Moderate
CVE-2026-20750 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea improperly exposes issue titles and repository names through previously started stopwatches Low
CVE-2026-20883 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal
Credited to 1seal
Incus container image templating arbitrary host file read and write High
CVE-2026-23954 was published for github.com/lxc/incus/v6/cmd/incusd (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
Incus container environment configuration newline injection High
CVE-2026-23953 was published for github.com/lxc/incus/v6 (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database