Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,950
Maven
5,000+
npm
4,596
NuGet
787
pip
4,301
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

307 advisories

Loading
Mattermost Server server restarts may provide attackers with API access Critical
CVE-2017-18915 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server has X.509 Improper Certificate Validation Critical
CVE-2017-18911 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Gogs's update .git/config file allows remote command execution Critical
CVE-2025-64111 was published for gogs.io/gogs (Go) Feb 6, 2026
ROPShell
Credited to ROPShell
Gardener allows bypassing project secret validation which can lead to privilege escalation Critical
CVE-2025-47283 was published for github.com/gardener/gardener (Go) May 19, 2025
petersutter rfranzke
donistz timuthy JordanJordanov
Credited to petersutter, rfranzke, donistz, timuthy, and JordanJordanov
FrankenPHP has delayed propagation of security fixes in upstream base images Critical
GHSA-x9p2-77v6-6vhf was published for github.com/dunglas/frankenphp (Go) Feb 5, 2026
opctim dunglas
Credited to opctim and dunglas
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints Critical
CVE-2026-25579 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
yunfachi
Credited to yunfachi
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE Critical
CVE-2026-25539 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 29, 2026
thxtech
Credited to thxtech
Alist has Insecure TLS Config Critical
CVE-2026-25160 was published for github.com/alist-org/alist/v3 (Go) Feb 4, 2026
XlabAITeam A7um
okatu-loli
Credited to XlabAITeam, A7um, and okatu-loli
ingress-nginx admission controller RCE escalation Critical
CVE-2025-1974 was published for k8s.io/ingress-nginx (Go) Mar 25, 2025
dor-hayun
Credited to dor-hayun
Duplicate Advisory: EVE Freely Allocates Buffer on The Stack With Data From Socket Critical
GHSA-vpjr-h6fh-mw4p was published for github.com/lf-edge/eve (Go) Sep 21, 2023 withdrawn
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern Critical
CVE-2025-62878 was published for github.com/rancher/local-path-provisioner (Go) Feb 4, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev
Credited to thevilledev
Duplicate Advisory: GoUtils's randomly-generated alphanumeric strings contain significantly less entropy than expected Critical
GHSA-3839-6r69-m497 was published for github.com/Masterminds/goutils (Go) Dec 28, 2022 withdrawn
Websocket requests did not call AuthenticateMethod Critical
CVE-2021-4236 was published for github.com/ecnepsnai/web (Go) Jun 23, 2021
Duplicate Advisory: ecnepsnai/web vulnerable to Uncontrolled Resource Consumption Critical
GHSA-jpgg-cp2x-qrw3 was published for github.com/ecnepsnai/web (Go) Dec 28, 2022 withdrawn
Duplicate Advisory: Consensys gnark-crypto allows Signature Malleability Critical
GHSA-9xfq-8j3r-xp5g was published for github.com/Consensys/gnark-crypto (Go) Sep 28, 2023 withdrawn
OpenShift GitOps authenticated attackers can obtain cluster root access through forged ArgoCD custom resources Critical
CVE-2025-13888 was published for github.com/redhat-developer/gitops-operator (Go) Dec 15, 2025
WeKnora has Command Injection in MCP stdio test Critical
CVE-2026-22688 was published for github.com/Tencent/WeKnora (Go) Jan 9, 2026
im-soohyun
Credited to im-soohyun
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490
Credited to prateek-0490
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp budimanjojo
gusfcarvalho
Credited to evrardjp, budimanjojo, and gusfcarvalho
Fleet has SAML authentication vulnerability due to improper SAML response validation Critical
CVE-2025-27509 was published for github.com/fleetdm/fleet/v4 (Go) Mar 6, 2025
hakivvi lucasmrod
getvictor rh-colbymorgan jeffssh
Credited to hakivvi, lucasmrod, getvictor, rh-colbymorgan, and jeffssh
Token leases could outlive their TTL in HashiCorp Vault Critical
CVE-2020-25816 was published for github.com/hashicorp/vault (Go) May 24, 2022
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE Critical
CVE-2026-23520 was published for github.com/getarcaneapp/arcane/backend (Go) Jan 15, 2026
DenizParlak
Credited to DenizParlak
Mattermost Server is vulnerable CSV Injection Critical
CVE-2017-18900 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer Critical
CVE-2025-62877 was published for github.com/harvester/harvester-installer (Go) Jan 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database