GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
485 advisories
Filter by severity
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Critical
CVE-2026-54069
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Critical
CVE-2026-54072
was published
for
github.com/authorizerdev/authorizer
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
Critical
CVE-2026-54067
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
Critical
CVE-2026-52831
was published
for
github.com/nuclio/nuclio
(Go)
Jul 8, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access
Critical
CVE-2026-49445
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
Rancher has Privilege Escalation from Project Owner to Host
Critical
CVE-2026-41052
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Critical
CVE-2026-44935
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Rancher vulnerable to command injection through unsanitized YAML parameter
Critical
CVE-2026-44939
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
Critical
CVE-2026-50566
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Critical
CVE-2026-50564
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Container Executor Function PodSpec Injection Leading to Node Escape
Critical
CVE-2026-50563
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
Critical
CVE-2026-50545
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Critical
CVE-2026-53519
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check
Critical
GHSA-q6xx-5vr8-p898
was published
for
github.com/nezhahq/nezha
(Go)
Jun 26, 2026
Incus has an arbitrary file write on its client due to trusted image hash
Critical
CVE-2026-48769
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an argument injection in backup compression algorithm leading to AFW and ACE
Critical
CVE-2026-48755
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has an arbitrary file write via path traversal in S3 multipart upload
Critical
CVE-2026-48753
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
Incus has arbitrary file read+write on host via templates/ symlink in malicious image
Critical
CVE-2026-48752
was published
for
github.com/lxc/incus/v7/cmd/incusd
(Go)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API