GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
485 advisories
Filter by severity
TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Critical
GHSA-g936-7jqj-mwv8
was published
for
github.com/almeidapaulopt/tsdproxy
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Critical
CVE-2026-50551
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
Critical
CVE-2026-54158
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Critical
CVE-2026-54069
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
File Browser: Authentication Bypass via Proxy Auth Header Forgery
Critical
CVE-2026-54089
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Critical
CVE-2026-54072
was published
for
github.com/authorizerdev/authorizer
(Go)
Jul 10, 2026
SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
Critical
CVE-2026-54067
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses
Critical
CVE-2026-39830
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys
Critical
CVE-2026-39832
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status
Critical
CVE-2026-42508
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement
Critical
CVE-2026-46595
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Critical
CVE-2026-52806
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check
Critical
CVE-2026-9094
was published
for
github.com/casdoor/casdoor
(Go)
May 28, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
Critical
CVE-2026-52831
was published
for
github.com/nuclio/nuclio
(Go)
Jul 8, 2026
Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
Critical
CVE-2026-53552
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
golang.org/x/crypto doesn't enforce invoking key constraints
Critical
CVE-2026-39833
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto vulnerable to infinite loop on large channel writes
Critical
CVE-2026-39834
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed
Critical
CVE-2026-39831
was published
for
golang.org/x/crypto
(Go)
Jun 25, 2026
nginx-ui Backup Restore Allows Tampering with Encrypted Backups
Critical
CVE-2026-33026
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 30, 2026
Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature
Critical
CVE-2024-23827
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Jan 29, 2024
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access
Critical
CVE-2026-49445
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
Karmada Dashboard API Unauthorized Access Vulnerability
Critical
CVE-2025-62714
was published
for
github.com/karmada-io/dashboard
(Go)
Oct 24, 2025
ProTip!
Advisories are also available from the
GraphQL API