GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,260
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,260 advisories
Filter by severity
New API is vulnerable to CSRF through user email binding
Moderate
CVE-2026-44342
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
High
CVE-2026-33655
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Moderate
CVE-2026-55438
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Moderate
CVE-2026-55437
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
High
CVE-2026-55436
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Moderate
CVE-2026-55435
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Moderate
CVE-2026-55434
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Moderate
CVE-2026-55433
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Moderate
CVE-2026-55432
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
High
CVE-2026-55431
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Moderate
CVE-2026-55078
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Moderate
CVE-2026-55430
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
High
CVE-2026-55428
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
High
CVE-2026-55429
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Moderate
CVE-2026-55079
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
High
CVE-2026-55427
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder: User-admin role can reset owner account password
High
CVE-2026-55077
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
High
CVE-2026-55075
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
High
CVE-2026-55076
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
Moderate
CVE-2026-53935
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Moderate
CVE-2026-53624
was published
for
github.com/gofiber/fiber
(Go)
Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Moderate
CVE-2026-54637
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 6, 2026
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access
Critical
CVE-2026-49445
was published
for
github.com/cilium/cilium
(Go)
Jul 6, 2026
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression
High
CVE-2026-46599
was published
for
golang.org/x/image
(Go)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API