Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,867
Maven
5,000+
npm
4,488
NuGet
780
pip
4,244
Pub
12
RubyGems
975
Rust
1,096
Swift
49
Unreviewed advisories
All unreviewed
5,000+

2,867 advisories

Loading
CometBFT has inconsistencies between how commit signatures are verified and how block time is derived High
GHSA-c32p-wcqj-j677 was published for github.com/cometbft/cometbft (Go) Jan 23, 2026
Gitea does not properly validate ownership when toggling OpenID URI visibility Moderate
CVE-2026-20904 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate repository ownership when linking attachments to releases Moderate
CVE-2026-20912 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea has improper access control for uploaded attachments Low
CVE-2026-20736 was published for code.gitea.io/gitea (Go) Jan 23, 2026
Gitea may send release notification emails for private repositories to users whose access has been revoked Low
CVE-2026-0798 was published for code.gitea.io/gitea (Go) Jan 23, 2026
Gitea improperly exposes issue and pull request titles Low
CVE-2026-20800 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate project ownership in organization project operations Moderate
CVE-2026-20750 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface Moderate
CVE-2026-20888 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea improperly exposes issue titles and repository names through previously started stopwatches Low
CVE-2026-20883 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
Gitea does not properly validate repository ownership when deleting Git LFS locks Moderate
CVE-2026-20897 was published for github.com/go-gitea/gitea (Go) Jan 23, 2026
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal
Credited to 1seal
Incus container image templating arbitrary host file read and write High
CVE-2026-23954 was published for github.com/lxc/incus/v6/cmd/incusd (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
Incus container environment configuration newline injection High
CVE-2026-23953 was published for github.com/lxc/incus/v6 (Go) Jan 22, 2026
rmcnamara-snyk
Credited to rmcnamara-snyk
Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL Moderate
CVE-2026-24117 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message Moderate
CVE-2026-23831 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal
Credited to 1seal
Dragonfly Manager Job API Unauthenticated Access High
CVE-2026-24124 was published for d7y.io/dragonfly/v2 (Go) Jan 22, 2026
b0b0haha gaius-qi
Credited to b0b0haha and gaius-qi
Soft Serve Affected by an Authentication Bypass High
CVE-2026-24058 was published for github.com/charmbracelet/soft-serve (Go) Jan 21, 2026
juancabe aymanbagabas
Credited to juancabe and aymanbagabas
OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format Low
GHSA-r92c-9c7f-3pj8 was published for github.com/opentofu/opentofu (Go) Jan 21, 2026
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims Moderate
CVE-2026-23990 was published for github.com/controlplaneio-fluxcd/flux-operator (Go) Jan 21, 2026
Argo Workflows affected by stored XSS in the artifact directory listing High
CVE-2026-23960 was published for github.com/argoproj/argo-workflows (Go) Jan 21, 2026
Masamuneee
Credited to Masamuneee
go-tuf improperly validates the configured threshold for delegations Moderate
CVE-2026-23992 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal kommendorkapten
rdimitrov
Credited to 1seal, kommendorkapten, and rdimitrov
go-tuf affected by client DoS via malformed server response Moderate
CVE-2026-23991 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal kommendorkapten
rdimitrov
Credited to 1seal, kommendorkapten, and rdimitrov
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login Moderate
CVE-2026-23849 was published for github.com/filebrowser/filebrowser (Go) Jan 21, 2026
GUCHIHACKER hacdias
Credited to GUCHIHACKER and hacdias
SiYuan vulnerable to Arbitrary file Read / SSRF High
CVE-2026-23850 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
abdoghazy2015 xtromera
A-Z4ki
Credited to abdoghazy2015, xtromera, and A-Z4ki
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality High
CVE-2026-23851 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database