Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,822
Maven
5,000+
npm
4,448
NuGet
774
pip
4,218
Pub
12
RubyGems
970
Rust
1,089
Swift
47
Unreviewed advisories
All unreviewed
5,000+

1,290 advisories

Loading
chi has an open redirect vulnerability in the RedirectSlashes middleware Moderate
GHSA-mqqf-5wvp-8fh8 was published for github.com/go-chi/chi (Go) Jan 14, 2026
thanosgn
Credited to thanosgn
Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass Moderate
CVE-2026-22772 was published for github.com/sigstore/fulcio (Go) Jan 13, 2026
morwn
Credited to morwn
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails Moderate
CVE-2026-22689 was published for github.com/axllent/mailpit (Go) Jan 13, 2026
omarkurt
Credited to omarkurt
Cosign verification accepts any valid Rekor entry under certain conditions Moderate
CVE-2026-22703 was published for github.com/sigstore/cosign/v2 (Go) Jan 13, 2026
1seal
Credited to 1seal
Shiori is vulnerable to authentication bypass via a brute force attack Moderate
CVE-2025-60538 was published for github.com/go-shiori/shiori (Go) Jan 9, 2026
Soft Serve is missing an authorization check in LFS lock deletion Moderate
CVE-2026-22253 was published for github.com/charmbracelet/soft-serve (Go) Jan 8, 2026
Tomer-PL
Credited to Tomer-PL
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages Moderate
CVE-2025-68151 was published for github.com/coredns/coredns (Go) Jan 8, 2026
thevilledev
Credited to thevilledev
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources Moderate
CVE-2026-21885 was published for miniflux.app/v2 (Go) Jan 7, 2026
eclipse07077-ljw
Credited to eclipse07077-ljw
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt
Credited to omarkurt
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass Moderate
GHSA-hjr9-wj7v-7hv8 was published for github.com/bishopfox/sliver (Go) Jan 5, 2026
0xkato
Credited to 0xkato
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists Moderate
CVE-2025-69413 was published for code.gitea.io/gitea (Go) Jan 1, 2026
Temporal has an Incorrect Authorization vulnerability Moderate
CVE-2025-14987 was published for go.temporal.io/server (Go) Dec 30, 2025
Visual Studio Code Go extension has unexpected untrusted code execution Moderate
CVE-2025-68120 was published for github.com/golang/vscode-go (Go) Dec 30, 2025
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Moderate
CVE-2025-68944 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea: anonymous user can visit private user's project Moderate
CVE-2025-68945 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea vulnerable to Cross-site Scripting Moderate
CVE-2025-68946 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order Moderate
CVE-2025-68943 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Moderate
CVE-2025-68942 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources Moderate
CVE-2025-68941 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea mishandles authorization for deletion of releases Moderate
CVE-2025-68938 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Moderate
CVE-2025-13767 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Moderate
CVE-2025-64641 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
Filebeat Beats has Buffer Overflow via Malformed Syslog Message or Malicious Tokenizer Pattern in Dissect Configuration Moderate
CVE-2025-68383 was published for github.com/elastic/beats (Go) Dec 19, 2025
Amazon S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14764 was published for github.com/aws/amazon-s3-encryption-client-go/v3 (Go) Dec 18, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database