Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

485 advisories

Loading
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation Critical
GHSA-g936-7jqj-mwv8 was published for github.com/almeidapaulopt/tsdproxy (Go) Jul 10, 2026
therawdev Credited to therawdev
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content Critical
CVE-2026-50551 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
Yunkaiwjs Credited to Yunkaiwjs
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() Critical
CVE-2026-54158 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
File Browser: Authentication Bypass via Proxy Auth Header Forgery Critical
CVE-2026-54089 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist Critical
CVE-2026-54069 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
oduoke567 Credited to oduoke567
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Critical
CVE-2026-54072 was published for github.com/authorizerdev/authorizer (Go) Jul 10, 2026
morimori-dev Credited to morimori-dev
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() Critical
CVE-2026-54067 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
hillalee Credited to hillalee
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE Critical
CVE-2026-52831 was published for github.com/nuclio/nuclio (Go) Jul 8, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers Critical
CVE-2026-53552 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access Critical
CVE-2026-49445 was published for github.com/cilium/cilium (Go) Jul 6, 2026
0xch4z Credited to 0xch4z and moemen moemen moemen
Rancher has Privilege Escalation from Project Owner to Host Critical
CVE-2026-41052 was published for github.com/rancher/rancher (Go) Jul 1, 2026
MMunier Credited to MMunier and Trolldemorted Trolldemorted Trolldemorted
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer Critical
CVE-2026-44935 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Rancher vulnerable to command injection through unsanitized YAML parameter Critical
CVE-2026-44939 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Ibonok Credited to Ibonok
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation Critical
CVE-2026-50566 was published for github.com/fission/fission (Go) Jun 30, 2026
HiyokoSauna37 Credited to HiyokoSauna37 and sanketsudake sanketsudake sanketsudake
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape Critical
CVE-2026-50564 was published for github.com/fission/fission (Go) Jun 30, 2026
0xVijay Credited to 0xVijay and sanketsudake sanketsudake sanketsudake
Fission Container Executor Function PodSpec Injection Leading to Node Escape Critical
CVE-2026-50563 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover Critical
CVE-2026-50545 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Critical
CVE-2026-53519 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
riodrwn Credited to riodrwn
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Critical
GHSA-q6xx-5vr8-p898 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an argument injection in backup compression algorithm leading to AFW and ACE Critical
CVE-2026-48755 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
ProTip! Advisories are also available from the GraphQL API