Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

229 advisories

Loading
M0oo0ry Credited to M0oo0ry
containerd image-triggered runtime DoS via unbounded group parsing Moderate
CVE-2026-47262 was published for github.com/containerd/containerd (Go) Jun 19, 2026
jake-ciolek Credited to jake-ciolek and kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob
File Browser has a DoS Vulnerability via Public Login API High
CVE-2026-54092 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
AshrafIbrahim03 Credited to AshrafIbrahim03
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS High
CVE-2026-48050 was published for github.com/basekick-labs/arc (Go) Jun 11, 2026
NeuroWinter Credited to NeuroWinter
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
CVE-2026-52880 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
CVE-2026-52879 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS Moderate
CVE-2026-49343 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
maiiquynhh Credited to maiiquynhh
Klever-Go KVM: Hash-array amplification in P2P resolver request handling High
CVE-2026-47249 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
leduckhuong Credited to leduckhuong
Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS) High
GHSA-74m6-4hjp-7226 was published for github.com/klever-io/klever-go (Go) Jun 4, 2026
LoG1331 Credited to LoG1331
go-git: Malformed Git object data may cause panics or resource exhaustion Moderate
GHSA-w5pp-99ch-qj29 was published for github.com/go-git/go-git/v5 (Go) May 29, 2026
hiddeco Credited to hiddeco, N0zoM1z0, AyushParkara, and kodareef5 N0zoM1z0 N0zoM1z0
AyushParkara AyushParkara kodareef5 kodareef5
Go Net HTML parser is vulnerable to denial of service Moderate
CVE-2026-25680 was published for golang.org/x/net (Go) May 26, 2026
joepurdy Credited to joepurdy
Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory Moderate
CVE-2026-5755 was published for github.com/mattermost/mattermost-server (Go) May 26, 2026
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints High
CVE-2026-5308 was published for github.com/mattermost/mattermost-plugin-github (Go) May 26, 2026
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes High
CVE-2026-45713 was published for github.com/axllent/mailpit (Go) May 19, 2026
KadirArslan Credited to KadirArslan
OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU Moderate
CVE-2026-45680 was published for go.opentelemetry.io/obi (Go) May 18, 2026
MrAlias Credited to MrAlias
iskorotkov/avro: CPU Exhaustion in Decoder High
CVE-2026-46385 was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder High
GHSA-mx64-mj3q-7prj was published for github.com/iskorotkov/avro/v2 (Go) May 18, 2026
klajok Credited to klajok
Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding High
CVE-2026-45047 was published for github.com/xddxdd/bird-lg-go (Go) May 11, 2026
9Bakabaka Credited to 9Bakabaka
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size Moderate
CVE-2026-44247 was published for volcano.sh/volcano (Go) May 8, 2026
JesseStutler Credited to JesseStutler, bugbunny-research, hzxuzhonghu, and kevin-wangzefeng bugbunny-research bugbunny-research
hzxuzhonghu hzxuzhonghu kevin-wangzefeng kevin-wangzefeng
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload High
CVE-2026-42154 was published for github.com/prometheus/prometheus (Go) May 5, 2026
ShadowByte1 Credited to ShadowByte1, Ankush-Pathak, and noren95 Ankush-Pathak Ankush-Pathak
noren95 noren95
CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification High
CVE-2026-32936 was published for github.com/coredns/coredns (Go) Apr 28, 2026
thesmartshadow Credited to thesmartshadow
Grafana Tempo has an Uncontrolled Resource Consumption issue High
CVE-2026-21728 was published for github.com/grafana/tempo (Go) Apr 24, 2026
free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service High
CVE-2026-41135 was published for github.com/free5gc/pcf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset, vdemeester, and waveywaves vdemeester vdemeester
waveywaves waveywaves
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
ProTip! Advisories are also available from the GraphQL API