Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,227 advisories

Loading
Openshift Hive Exposes VCenter Credentials via ClusterProvision High
CVE-2025-2241 was published for github.com/openshift/hive (Go) Mar 17, 2025
Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports Moderate
CVE-2026-32941 was published for github.com/bishopfox/sliver (Go) Mar 17, 2026
skoveit Credited to skoveit
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) Critical
CVE-2026-32940 was published for github.com/siyuan-note/siyuan (Go) Mar 17, 2026
vnykmshr Credited to vnykmshr
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service Critical
CVE-2026-32938 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 17, 2026
TCOTC Credited to TCOTC, YuxinZhaozyx, and 88250 YuxinZhaozyx YuxinZhaozyx
88250 88250
File Browser Signup Grants Admin When Default Permissions Include Admin Critical
CVE-2026-32760 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Moderate
CVE-2026-32815 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod Critical
CVE-2026-33211 was published for github.com/tektoncd/pipeline (Go) Mar 18, 2026
1seal Credited to 1seal, vdemeester, afrittoli, and KoreaSecurity vdemeester vdemeester
afrittoli afrittoli KoreaSecurity KoreaSecurity
Unsigned SAML LogoutRequest Acceptance in gosaml2 High
GHSA-pcgw-qcv5-h8ch was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
gosaml2 CBC Padding Panic — Unauthenticated Process Crash High
GHSA-hwqm-qvj9-4jr2 was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
validateSignature Loop Variable Capture Signature Bypass in goxmldsig High
GHSA-479m-364c-43vc was published for github.com/russellhaering/goxmldsig (Go) Mar 18, 2026
tomasilluminati Credited to tomasilluminati
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques High
CVE-2026-33192 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error High
CVE-2026-33191 was published for github.com/free5gc/udm (Go) Mar 18, 2026
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass High
CVE-2026-33203 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
mith36 Credited to mith36
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) Moderate
CVE-2026-33194 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
restriction Credited to restriction
gRPC-Go has an authorization bypass via missing leading slash in :path Critical
CVE-2026-33186 was published for google.golang.org/grpc (Go) Mar 18, 2026
MariuszMaik Credited to MariuszMaik
free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request Moderate
CVE-2026-33065 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference High
CVE-2026-33064 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC AUSF UE Authentication Panic on Nil SuciSupiMap Interface Conversion High
CVE-2026-33063 was published for github.com/free5gc/ausf (Go) Mar 18, 2026
free5GC NRF Discovery EncodeGroupId Function Panics on Malformed group-id-list Parameter High
CVE-2026-33062 was published for github.com/free5gc/nrf (Go) Mar 18, 2026
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
Out-of-Bounds Slice Access in free5GC CHF Leading to DoS High
CVE-2026-32937 was published for github.com/free5gc/chf (Go) Mar 18, 2026
LinZiyuu Credited to LinZiyuu
Zitadel is missing enforcement of organization scopes Moderate
CVE-2026-33132 was published for github.com/zitadel/zitadel (Go) Mar 18, 2026
peintnermax Credited to peintnermax, grvijayan, wim07101993, livio-a, and motoki317 grvijayan grvijayan
wim07101993 wim07101993 livio-a livio-a motoki317 motoki317
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation Moderate
CVE-2026-33081 was published for github.com/pinchtab/pinchtab (Go) Mar 18, 2026
Yesuhei Credited to Yesuhei
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database