Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,263 advisories

Loading
netfoil: Attacker controlled data written to logs Low
GHSA-7856-g3gv-9wq8 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a resource leak in LRU cache Low
GHSA-3g4q-2f67-2gvh was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
stigtsp Credited to stigtsp
netfoil has a domain name filter bypass via multiple questions Moderate
GHSA-59qp-cfj3-rp64 was published for github.com/tinfoil-factory/netfoil (Go) Jul 7, 2026
New API is vulnerable to CSRF through user email binding Moderate
CVE-2026-44342 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
kyo-w Credited to kyo-w
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs High
CVE-2026-33655 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
b-hermes Credited to b-hermes
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing Moderate
CVE-2026-55438 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component Moderate
CVE-2026-55437 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration High
CVE-2026-55436 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints Moderate
CVE-2026-55435 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints Moderate
CVE-2026-55434 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers Moderate
CVE-2026-55433 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement Moderate
CVE-2026-55432 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps High
CVE-2026-55431 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service Moderate
CVE-2026-55078 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access Moderate
CVE-2026-55430 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator High
CVE-2026-55428 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID High
CVE-2026-55429 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service Moderate
CVE-2026-55079 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` High
CVE-2026-55427 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: User-admin role can reset owner account password High
CVE-2026-55077 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass High
CVE-2026-55075 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking High
CVE-2026-55076 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation Moderate
CVE-2026-53935 was published for github.com/cilium/cilium (Go) Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check Moderate
CVE-2026-53624 was published for github.com/gofiber/fiber (Go) Jul 6, 2026
sondt99 Credited to sondt99, dungNHVhust, gaby, and ReneWerner87 dungNHVhust dungNHVhust
gaby gaby ReneWerner87 ReneWerner87
ProTip! Advisories are also available from the GraphQL API