GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
18 advisories
Filter by severity
Authelia has an Edge Case Access Control Rule Mismatch
Low
CVE-2026-48794
was published
for
github.com/authelia/authelia/v4
(Go)
Jun 26, 2026
OpenFGA Improper Policy Enforcement
Low
CVE-2026-55170
was published
for
github.com/openfga/openfga
(Go)
Jun 18, 2026
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Low
CVE-2026-47203
was published
for
github.com/authelia/authelia/v4
(Go)
May 29, 2026
Envoy AI Proxy - MCP Message Smuggling Vulnerability
Moderate
GHSA-4gph-2hhr-5mwg
was published
for
github.com/envoyproxy/ai-gateway
(Go)
May 19, 2026
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
High
CVE-2026-45135
was published
for
github.com/caddyserver/caddy/v2
(Go)
May 18, 2026
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
High
CVE-2026-45062
was published
for
github.com/dunglas/frankenphp
(Go)
May 15, 2026
Heimdall: Case-sensitive host matching may lead to policy bypass
High
CVE-2026-42273
was published
for
github.com/dadrus/heimdall
(Go)
Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
High
CVE-2026-42272
was published
for
github.com/dadrus/heimdall
(Go)
Apr 25, 2026
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags
High
GHSA-qmwh-9m9c-h36m
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
Apr 7, 2026
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
High
CVE-2026-29054
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 4, 2026
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
High
CVE-2026-27896
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Feb 26, 2026
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
High
CVE-2026-27588
was published
for
github.com/caddyserver/caddy/v2
(Go)
Feb 24, 2026
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
High
CVE-2026-27587
was published
for
github.com/caddyserver/caddy/v2
(Go)
Feb 24, 2026
File Browser has an Authentication Bypass in User Password Update
Moderate
CVE-2026-25889
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Feb 10, 2026
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal
High
CVE-2026-25992
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 28, 2026
Privilege escalation in MOSN
Critical
CVE-2021-32163
was published
for
mosn.io/mosn
(Go)
Feb 17, 2023
Authorization Policy Bypass Due to Case Insensitive Host Comparison
High
CVE-2021-39155
was published
for
istio.io/istio
(Go)
Aug 30, 2021
Redirect URL matching ignores character casing
Moderate
CVE-2020-15234
was published
for
github.com/ory/fosite
(Go)
May 24, 2021
ProTip!
Advisories are also available from the
GraphQL API