Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

18 advisories

Loading
Authelia has an Edge Case Access Control Rule Mismatch Low
CVE-2026-48794 was published for github.com/authelia/authelia/v4 (Go) Jun 26, 2026
j0hndo Credited to j0hndo, james-d-elliott, Crowley723, and nightah james-d-elliott james-d-elliott
Crowley723 Crowley723 nightah nightah
OpenFGA Improper Policy Enforcement Low
CVE-2026-55170 was published for github.com/openfga/openfga (Go) Jun 18, 2026
sahajamoth Credited to sahajamoth
Authelia Missing Username Canonicalization in Basic Auth (LDAP) Low
CVE-2026-47203 was published for github.com/authelia/authelia/v4 (Go) May 29, 2026
Nadav0077 Credited to Nadav0077, james-d-elliott, nightah, and Crowley723 james-d-elliott james-d-elliott
nightah nightah Crowley723 Crowley723
Envoy AI Proxy - MCP Message Smuggling Vulnerability Moderate
GHSA-4gph-2hhr-5mwg was published for github.com/envoyproxy/ai-gateway (Go) May 19, 2026
anaximand3r Credited to anaximand3r
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files High
CVE-2026-45135 was published for github.com/caddyserver/caddy/v2 (Go) May 18, 2026
dunglas Credited to dunglas, KC1zs4, and chenjj KC1zs4 KC1zs4
chenjj chenjj
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Heimdall: Case-sensitive host matching may lead to policy bypass High
CVE-2026-42273 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation High
CVE-2026-42272 was published for github.com/dadrus/heimdall (Go) Apr 25, 2026
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags High
GHSA-qmwh-9m9c-h36m was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
kodareef5 Credited to kodareef5
1seal Credited to 1seal
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity High
CVE-2026-27896 was published for github.com/modelcontextprotocol/go-sdk (Go) Feb 26, 2026
anaximand3r Credited to anaximand3r
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass High
CVE-2026-27588 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass High
CVE-2026-27587 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
manizada Credited to manizada
File Browser has an Authentication Bypass in User Password Update Moderate
CVE-2026-25889 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
dogadmin Credited to dogadmin and hacdias hacdias hacdias
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal High
CVE-2026-25992 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 28, 2026
EaEa0001 Credited to EaEa0001
Privilege escalation in MOSN Critical
CVE-2021-32163 was published for mosn.io/mosn (Go) Feb 17, 2023
Authorization Policy Bypass Due to Case Insensitive Host Comparison High
CVE-2021-39155 was published for istio.io/istio (Go) Aug 30, 2021
yangminzhu Credited to yangminzhu, avivdolev, and tdunlap607 avivdolev avivdolev
tdunlap607 tdunlap607
Redirect URL matching ignores character casing Moderate
CVE-2020-15234 was published for github.com/ory/fosite (Go) May 24, 2021
mitar Credited to mitar
ProTip! Advisories are also available from the GraphQL API