GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,260
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
216 advisories
Filter by severity
Ech0 comment model's Email field returned on public /api/comments endpoints
Moderate
GHSA-rj4g-rqgh-rx9h
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Critical
CVE-2026-42880
was published
for
github.com/argoproj/argo-cd/v3
(Go)
May 7, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Critical
GHSA-9h64-2846-7x7f
was published
for
github.com/getaxonflow/axonflow
(Go)
May 6, 2026
DevSpace UI Server WebSocket CheckOrigin does not validate source
High
CVE-2026-42283
was published
for
github.com/loft-sh/devspace
(Go)
May 6, 2026
Nginx-UI Settings API Exposes Protected Secrets
Moderate
CVE-2026-42223
was published
for
github.com/0xJacky/nginx-ui
(Go)
May 6, 2026
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Moderate
CVE-2026-42220
was published
for
github.com/0xJacky/Nginx-UI
(Go)
May 5, 2026
Prometheus Azure AD remote write OAuth client secret exposed via config API
High
CVE-2026-42151
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Moderate
CVE-2026-30246
was published
for
github.com/gofiber/fiber/v3
(Go)
Apr 28, 2026
Cillium exposes sensitive information included in the cilium-bugtool debug archive
High
CVE-2026-41520
was published
for
github.com/cilium/cilium
(Go)
Apr 25, 2026
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
Critical
CVE-2026-41492
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 24, 2026
Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)
High
GHSA-8wfp-579w-6r25
was published
for
github.com/kyverno/kyverno
(Go)
Apr 16, 2026
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
High
CVE-2026-41323
was published
for
github.com/kyverno/kyverno
(Go)
Apr 16, 2026
Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
Critical
CVE-2026-40173
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 16, 2026
Pyroscope Exposes Storage Secret
Critical
CVE-2025-41118
was published
for
github.com/grafana/pyroscope
(Go)
Apr 15, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
High
CVE-2026-40885
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication
High
CVE-2026-40245
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
High
CVE-2026-34984
was published
for
github.com/external-secrets/external-secrets
(Go)
Apr 13, 2026
HashiCorp's go-getter library may allow arbitrary file reads
High
CVE-2026-4660
was published
for
github.com/hashicorp/go-getter
(Go)
Apr 9, 2026
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
Moderate
CVE-2026-40293
was published
for
github.com/openfga/openfga
(Go)
Apr 8, 2026
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback
Low
CVE-2026-34969
was published
for
github.com/nhost/nhost
(Go)
Apr 1, 2026
Grafana public dashboards disclose all direct mode datasources
Moderate
CVE-2026-27877
was published
for
github.com/grafana/grafana
(Go)
Mar 27, 2026
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Moderate
CVE-2026-33677
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
In Soft Serve, an authenticated repo import can clone server-local private repositories
High
CVE-2026-33353
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 19, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
Critical
CVE-2026-32938
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 17, 2026
Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values
High
CVE-2026-2476
was published
for
github.com/mattermost/mattermost-plugin-msteams
(Go)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API