Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,460 advisories

Loading
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) Moderate
CVE-2026-33194 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
restriction Credited to restriction
free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request Moderate
CVE-2026-33065 was published for github.com/free5gc/udm (Go) Mar 18, 2026
Zitadel is missing enforcement of organization scopes Moderate
CVE-2026-33132 was published for github.com/zitadel/zitadel (Go) Mar 18, 2026
peintnermax Credited to peintnermax, grvijayan, wim07101993, livio-a, and motoki317 grvijayan grvijayan
wim07101993 wim07101993 livio-a livio-a motoki317 motoki317
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation Moderate
CVE-2026-33081 was published for github.com/pinchtab/pinchtab (Go) Mar 18, 2026
Yesuhei Credited to Yesuhei
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
File Browser has an Authorization Policy Bypass in Public Share Download Flow Moderate
CVE-2026-32761 was published for https://github.com/filebrowser/filebrowser (Go) Mar 18, 2026
Ahmad-jarwan Credited to Ahmad-jarwan and hacdias hacdias hacdias
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121 Moderate
GHSA-594f-3595-c47v was published for github.com/argoproj-labs/terraform-provider-argocd (Go) Mar 18, 2026
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun Moderate
CVE-2026-33022 was published for github.com/tektoncd/pipeline (Go) Mar 17, 2026
1seal Credited to 1seal, vdemeester, and afrittoli vdemeester vdemeester
afrittoli afrittoli
Tillitis TKey Client has an Error in Protocol Implementation Moderate
CVE-2026-32953 was published for github.com/tillitis/tkeyclient (Go) Mar 17, 2026
Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports Moderate
CVE-2026-32941 was published for github.com/bishopfox/sliver (Go) Mar 17, 2026
skoveit Credited to skoveit
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration Moderate
GHSA-j94x-8wcp-x7hm was published for github.com/akuity/kargo (Go) Mar 16, 2026
maru1009 Credited to maru1009 and krancour krancour krancour
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter Moderate
CVE-2026-32758 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
iconnnjka Credited to iconnnjka and hacdias hacdias hacdias
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Moderate
GHSA-v3mg-9v85-fcm7 was published for siyuan (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely Moderate
CVE-2026-32759 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Moderate
CVE-2026-32751 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes Moderate
CVE-2026-32750 was published for github.com/siyuan-note/siyuan (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Moderate
CVE-2026-32815 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets Moderate
CVE-2026-32747 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
Mattermost fails to properly enforce read permissions in search API endpoints Moderate
CVE-2026-24692 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Moderate
CVE-2026-2455 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost fails to use consistent error responses when handling the /mute command Moderate
CVE-2026-21386 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost fails to validate team-specific upload_file permissions Moderate
CVE-2026-4265 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost fails to limit the size of responses from integration action endpoints Moderate
CVE-2026-2456 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost fails to filter invite IDs based on user permissions Moderate
CVE-2026-2463 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database