Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

216 advisories

Loading
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth Low
CVE-2026-49254 was published for d7y.io/dragonfly/v2 (Go) Jul 2, 2026
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
ORAS Go forwards registry credentials across registry redirects Moderate
GHSA-vh4v-2xq2-g5cg was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
mosskappa Credited to mosskappa
Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec High
GHSA-7m8x-qg2j-4m3v was published for github.com/fission/fission (Go) Jun 30, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API Moderate
CVE-2026-52815 was published for gogs.io/gogs (Go) Jun 23, 2026
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName Moderate
CVE-2026-11769 was published for github.com/grafana/grafana-operator (Go) Jun 19, 2026
cherez0ff Credited to cherez0ff
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server High
CVE-2026-55882 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint Moderate
CVE-2026-46371 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint Moderate
CVE-2026-46370 was published for github.com/fleetdm/fleet/v4 (Go) Jun 12, 2026
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth High
CVE-2026-47701 was published for github.com/open-telemetry/opentelemetry-operator (Go) Jun 10, 2026
everping Credited to everping, arminru, jaronoff97, and swiatekm arminru arminru
jaronoff97 jaronoff97 swiatekm swiatekm
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Moderate
CVE-2026-49397 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
offset Credited to offset
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks High
CVE-2026-47735 was published for github.com/basekick-labs/arc (Go) Jun 8, 2026
NeuroWinter Credited to NeuroWinter
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService High
CVE-2026-45726 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions Moderate
CVE-2026-3636 was published for github.com/mattermost/mattermost-server (Go) May 26, 2026
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Moderate
CVE-2026-47124 was published for github.com/nezhahq/nezha (Go) May 23, 2026
sondt99 Credited to sondt99
FileBrowser Quantum: unauthenticated user share share info High
CVE-2026-46410 was published for github.com/gtsteffaniak/filebrowser (Go) May 19, 2026
bugbunny-research Credited to bugbunny-research
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations Moderate
CVE-2026-45737 was published for github.com/argoproj/argo-cd/v3 (Go) May 19, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure Low
CVE-2026-45683 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias and grcevski grcevski grcevski
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin High
CVE-2026-6347 was published for github.com/mattermost/mattermost-plugin-calls (Go) May 18, 2026
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation High
CVE-2026-6346 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
ProTip! Advisories are also available from the GraphQL API