Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,004 advisories

Loading
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
File Browser has incorrect access control for public directory shares via rule path rebasing High
CVE-2026-54091 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames Moderate
CVE-2026-54093 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
hacdias Credited to hacdias
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope Moderate
CVE-2026-54094 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
DavidCarliez Credited to DavidCarliez, hacdias, m2hcz, and alanturing881 hacdias hacdias
m2hcz m2hcz alanturing881 alanturing881
File Browser has a DoS Vulnerability via Public Login API High
CVE-2026-54092 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
AshrafIbrahim03 Credited to AshrafIbrahim03
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path High
CVE-2026-54096 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
quart27219 Credited to quart27219, kimdu0, and hacdias kimdu0 kimdu0
hacdias hacdias
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix High
CVE-2026-54097 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
wooseokdotkim Credited to wooseokdotkim and hacdias hacdias hacdias
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs) High
CVE-2026-53999 was published for github.com/radius-project/radius (Go) Jun 12, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store Low
GHSA-6vgg-xhvh-38ff was published for github.com/juev/nebula-mesh (Go) Jun 12, 2026
ak2k Credited to ak2k
gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362) Moderate
CVE-2026-48154 was published for github.com/pilinux/gorest (Go) Jun 12, 2026
Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() Moderate
GHSA-9r4w-jg96-92mv was published for github.com/google/go-attestation (Go) Jun 12, 2026
prasanna8585 Credited to prasanna8585
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection High
CVE-2026-48113 was published for github.com/jpillora/chisel (Go) Jun 12, 2026
mzfr Credited to mzfr
AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance High
CVE-2026-11401 was published for github.com/aws/aws-advanced-go-wrapper/auth-helpers (Go) Jun 11, 2026
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning Moderate
CVE-2026-48096 was published for github.com/openfga/openfga (Go) Jun 11, 2026
j4xT Credited to j4xT
DevGuard has improper authorization on public assets High
CVE-2026-48089 was published for github.com/l3montree-dev/devguard (Go) Jun 11, 2026
philipflohr Credited to philipflohr
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization High
CVE-2026-48020 was published for github.com/traefik/traefik/v2 (Go) Jun 11, 2026
H4ck2 Credited to H4ck2
free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence Moderate
CVE-2026-47780 was published for github.com/free5gc/udr (Go) Jun 11, 2026
Giancannella Credited to Giancannella, FrancescoDAlterio, ghMellow, and ndrberna FrancescoDAlterio FrancescoDAlterio
ghMellow ghMellow ndrberna ndrberna
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Moderate
CVE-2026-47753 was published for github.com/lxc/incus/v7 (Go) Jun 10, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
nebula-mesh: Session and OIDC state cookies lack the Secure attribute Moderate
CVE-2026-48058 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
nebula-mesh: Decrypted CA private key persists in heap after signing Moderate
CVE-2026-48025 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database