Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,583 advisories

Loading
melange: Incomplete package integrity verification allows data section substitution High
CVE-2026-54174 was published for chainguard.dev/apko (Go) Jul 10, 2026
xnox Credited to xnox and egibs egibs egibs
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS) High
CVE-2026-54063 was published for github.com/xuri/excelize/v2 (Go) Jul 10, 2026
EQSTLab Credited to EQSTLab
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894 High
CVE-2026-54066 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
aslein1413-sys Credited to aslein1413-sys
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests High
CVE-2026-50197 was published for github.com/zalando/skipper (Go) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise High
CVE-2026-53553 was published for github.com/zhenorzz/goploy (Go) Jul 7, 2026
What-canIsay Credited to What-canIsay
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs High
CVE-2026-33655 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
b-hermes Credited to b-hermes
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration High
CVE-2026-55436 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps High
CVE-2026-55431 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator High
CVE-2026-55428 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID High
CVE-2026-55429 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` High
CVE-2026-55427 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: User-admin role can reset owner account password High
CVE-2026-55077 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass High
CVE-2026-55075 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking High
CVE-2026-55076 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression High
CVE-2026-46599 was published for golang.org/x/image (Go) Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename High
CVE-2026-52792 was published for github.com/xyproto/algernon (Go) Jul 2, 2026
Dredsen Credited to Dredsen
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent High
CVE-2026-44454 was published for github.com/coder/coder (Go) Jul 2, 2026
avivdon Credited to avivdon
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags High
CVE-2026-50138 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
Rancher has over-inclusive team membership expansion in GitHub App authentication provider High
CVE-2026-41053 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API