GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
41 advisories
Filter by severity
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward
Moderate
CVE-2026-45045
was published
for
github.com/gofiber/fiber/v2
(Go)
Jul 2, 2026
chi Has an IP Spoofing Vulnerability in `middleware.RealIP`
Moderate
GHSA-3fxj-6jh8-hvhx
was published
for
github.com/go-chi/chi/v5/middleware
(Go)
Jun 25, 2026
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header
High
GHSA-rjr7-jggh-pgcp
was published
for
github.com/go-chi/chi/middleware
(Go)
Jun 25, 2026
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers
High
CVE-2026-25119
was published
for
gogs.io/gogs
(Go)
Jun 22, 2026
Heimdall: IP Spoofing via Unvalidated Forwarding Headers
High
GHSA-38x9-25wx-7fg2
was published
for
https://github.com/dadrus/heimdall
(Go)
Jun 18, 2026
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
High
CVE-2026-52845
was published
for
github.com/caddyserver/caddy
(Go)
Jun 16, 2026
Fleet Windows MDM Azure AD JWT Authentication Bypass
High
CVE-2026-24899
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
CoreDNS Cache Poisoning via a birthday attack
Moderate
CVE-2023-30464
was published
for
github.com/coredns/coredns
(Go)
Sep 18, 2024
Fleet: IP spoofing allows bypassing API rate limiting
Moderate
CVE-2026-46356
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
Fleet has a rate limiting bypass via untrusted client IP headers
Moderate
CVE-2026-24000
was published
for
github.com/fleetdm/fleet/v4
(Go)
May 14, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
High
CVE-2026-42602
was published
for
github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
(Go)
May 6, 2026
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
High
CVE-2026-39858
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Critical
CVE-2026-40575
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 15, 2026
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode
Critical
CVE-2026-34457
was published
for
github.com/oauth2-proxy/oauth2-proxy
(Go)
Apr 14, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
Moderate
CVE-2026-33223
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
Moderate
CVE-2026-33246
was published
for
github.com/nats-io/nats-server
(Go)
Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
Moderate
CVE-2026-33621
was published
for
github.com/pinchtab/pinchtab
(Go)
Mar 24, 2026
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Moderate
CVE-2026-33433
was published
for
github.com/traefik/traefik/v2
(Go)
Mar 27, 2026
Authentication Bypass by Spoofing in github.com/greenpau/caddy-security
Moderate
CVE-2024-21494
was published
for
github.com/greenpau/caddy-security
(Go)
Feb 17, 2024
Shiori is vulnerable to authentication bypass via a brute force attack
Moderate
CVE-2025-60538
was published
for
github.com/go-shiori/shiori
(Go)
Jan 9, 2026
1Panel – CAPTCHA Bypass via Client-Controlled Flag
High
CVE-2025-66507
was published
for
github.com/1Panel-dev/1Panel
(Go)
Dec 8, 2025
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
Moderate
CVE-2025-66508
was published
for
github.com/1Panel-dev/1Panel
(Go)
Dec 8, 2025
Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
Moderate
CVE-2025-54288
was published
for
github.com/canonical/lxd
(Go)
Oct 2, 2025
Coder AgentAPI exposed user chat history via a DNS rebinding attack
Moderate
CVE-2025-59956
was published
for
github.com/coder/agentapi
(Go)
Sep 29, 2025
ProTip!
Advisories are also available from the
GraphQL API