Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,653 advisories

Loading
Grafana Tempo has an Uncontrolled Resource Consumption issue High
CVE-2026-21728 was published for github.com/grafana/tempo (Go) Apr 24, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
Heimdall has an authorization bypass via path normalization mismatch High
CVE-2026-42274 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass High
CVE-2026-42273 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
CVE-2026-42272 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery Moderate
CVE-2026-42576 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, and markusthoemmes antitree antitree
markusthoemmes markusthoemmes
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
brianaydemir Credited to brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson jhiemstrawisc jhiemstrawisc
matyasselmeci matyasselmeci williamnswanson williamnswanson
Distribution's tag deletion bypasses `storage.delete.enabled` configuration Moderate
CVE-2026-41888 was published for github.com/distribution/distribution (Go) May 4, 2026
joonas Credited to joonas
Argo vulnerable to exposure of artifact repository credentials High
CVE-2026-42295 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Masamuneee Credited to Masamuneee, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure High
CVE-2026-42296 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
vnykmshr Credited to vnykmshr, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor High
CVE-2026-42294 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
Rudra2018 Credited to Rudra2018, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
CVE-2026-42091 was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field Critical
CVE-2026-41328 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field Critical
CVE-2026-41327 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) Low
CVE-2026-42183 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Wernerina Credited to Wernerina, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has Missing Authorization in its Sync ConfigMap Provider High
CVE-2026-42297 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
nebojsaj1726 Credited to nebojsaj1726, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access Critical
CVE-2026-42072 was published for github.com/orneryd/nornicdb (Go) Apr 22, 2026
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Nil Dereferences on Restore via Malformed YAML Moderate
CVE-2026-41684 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Low
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Nil-Pointer Dereference via S3 Bucket Import Moderate
CVE-2026-41647 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, and fidencio calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database