GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,583 advisories
Filter by severity
melange: Incomplete package integrity verification allows data section substitution
High
CVE-2026-54174
was published
for
chainguard.dev/apko
(Go)
Jul 10, 2026
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
High
CVE-2026-54063
was published
for
github.com/xuri/excelize/v2
(Go)
Jul 10, 2026
SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
High
CVE-2026-54066
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
High
CVE-2026-50553
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
High
CVE-2026-50197
was published
for
github.com/zalando/skipper
(Go)
Jul 8, 2026
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
High
CVE-2026-53553
was published
for
github.com/zhenorzz/goploy
(Go)
Jul 7, 2026
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
High
CVE-2026-33655
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
High
CVE-2026-55436
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
High
CVE-2026-55431
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
High
CVE-2026-55428
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
High
CVE-2026-55429
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
High
CVE-2026-55427
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: User-admin role can reset owner account password
High
CVE-2026-55077
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
High
CVE-2026-55075
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
High
CVE-2026-55076
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression
High
CVE-2026-46599
was published
for
golang.org/x/image
(Go)
Jul 2, 2026
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
High
CVE-2026-52792
was published
for
github.com/xyproto/algernon
(Go)
Jul 2, 2026
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
High
CVE-2026-44454
was published
for
github.com/coder/coder
(Go)
Jul 2, 2026
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
High
CVE-2026-50138
was published
for
goshs.de/goshs/v2
(Go)
Jul 1, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider
High
CVE-2026-41053
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API