Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,260 advisories

Loading
New API is vulnerable to CSRF through user email binding Moderate
CVE-2026-44342 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
kyo-w Credited to kyo-w
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs High
CVE-2026-33655 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
b-hermes Credited to b-hermes
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing Moderate
CVE-2026-55438 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component Moderate
CVE-2026-55437 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration High
CVE-2026-55436 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints Moderate
CVE-2026-55435 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints Moderate
CVE-2026-55434 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers Moderate
CVE-2026-55433 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement Moderate
CVE-2026-55432 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps High
CVE-2026-55431 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service Moderate
CVE-2026-55078 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access Moderate
CVE-2026-55430 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator High
CVE-2026-55428 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID High
CVE-2026-55429 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service Moderate
CVE-2026-55079 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` High
CVE-2026-55427 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder: User-admin role can reset owner account password High
CVE-2026-55077 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass High
CVE-2026-55075 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking High
CVE-2026-55076 was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation Moderate
CVE-2026-53935 was published for github.com/cilium/cilium (Go) Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check Moderate
CVE-2026-53624 was published for github.com/gofiber/fiber (Go) Jul 6, 2026
sondt99 Credited to sondt99, dungNHVhust, gaby, and ReneWerner87 dungNHVhust dungNHVhust
gaby gaby ReneWerner87 ReneWerner87
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile Moderate
CVE-2026-54637 was published for d7y.io/dragonfly/v2 (Go) Jul 6, 2026
tonghuaroot Credited to tonghuaroot and gaius-qi gaius-qi gaius-qi
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access Critical
CVE-2026-49445 was published for github.com/cilium/cilium (Go) Jul 6, 2026
0xch4z Credited to 0xch4z and moemen moemen moemen
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression High
CVE-2026-46599 was published for golang.org/x/image (Go) Jul 2, 2026
ProTip! Advisories are also available from the GraphQL API