GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,263
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,484
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,263 advisories
Filter by severity
netfoil: Attacker controlled data written to logs
Low
GHSA-7856-g3gv-9wq8
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a resource leak in LRU cache
Low
GHSA-3g4q-2f67-2gvh
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
netfoil has a domain name filter bypass via multiple questions
Moderate
GHSA-59qp-cfj3-rp64
was published
for
github.com/tinfoil-factory/netfoil
(Go)
Jul 7, 2026
New API is vulnerable to CSRF through user email binding
Moderate
CVE-2026-44342
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
High
CVE-2026-33655
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Moderate
CVE-2026-55438
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Moderate
CVE-2026-55437
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
High
CVE-2026-55436
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Moderate
CVE-2026-55435
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Moderate
CVE-2026-55434
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Moderate
CVE-2026-55433
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Moderate
CVE-2026-55432
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
High
CVE-2026-55431
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Moderate
CVE-2026-55078
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Moderate
CVE-2026-55430
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
High
CVE-2026-55428
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
High
CVE-2026-55429
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Moderate
CVE-2026-55079
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
High
CVE-2026-55427
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: User-admin role can reset owner account password
High
CVE-2026-55077
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
High
CVE-2026-55075
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
High
CVE-2026-55076
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
Moderate
CVE-2026-53935
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Moderate
CVE-2026-53624
was published
for
github.com/gofiber/fiber
(Go)
Jul 6, 2026
ProTip!
Advisories are also available from the
GraphQL API