Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,844
Maven
5,000+
npm
4,470
NuGet
779
pip
4,231
Pub
12
RubyGems
974
Rust
1,093
Swift
48
Unreviewed advisories
All unreviewed
5,000+

2,844 advisories

Loading
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login Moderate
CVE-2026-23849 was published for github.com/filebrowser/filebrowser (Go) Jan 21, 2026
GUCHIHACKER hacdias
Credited to GUCHIHACKER and hacdias
SiYuan vulnerable to Arbitrary file Read / SSRF High
CVE-2026-23850 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
abdoghazy2015 xtromera
A-Z4ki
Credited to abdoghazy2015, xtromera, and A-Z4ki
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality High
CVE-2026-23851 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API Moderate
CVE-2026-23845 was published for github.com/axllent/mailpit (Go) Jan 21, 2026
mdisec omarkurt
Credited to mdisec and omarkurt
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon Low
CVE-2026-23847 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment Critical
CVE-2026-23518 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490
Credited to prateek-0490
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 iansltx
Credited to prateek-0490 and iansltx
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability High
CVE-2026-22808 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 iansltx
Credited to prateek-0490 and iansltx
Mailpit has an SMTP Header Injection via Regex Bypass Moderate
CVE-2026-23829 was published for github.com/axllent/mailpit (Go) Jan 20, 2026
omarkurt
Credited to omarkurt
esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages High
CVE-2026-23644 was published for github.com/esm-dev/esm.sh (Go) Jan 20, 2026
kelbyludwig
Credited to kelbyludwig
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp budimanjojo
gusfcarvalho
Credited to evrardjp, budimanjojo, and gusfcarvalho
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered High
CVE-2026-21696 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
danny6167
Credited to danny6167
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks High
CVE-2025-69199 was published for github.com/pterodactyl/wings (Go) Jan 20, 2026
KianBrose
Credited to KianBrose
Skipper is vulnerable to arbitrary code execution through lua filters High
CVE-2026-23742 was published for github.com/zalando/skipper (Go) Jan 16, 2026
moyushui b0b0haha
Credited to moyushui and b0b0haha
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Mattermost is vulnerable to DoS due to infinite re-renders on API errors Moderate
CVE-2025-14435 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Low
CVE-2025-14822 was published for github.com/mattermost/mattermost-server (Go) Jan 16, 2026
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Moderate
CVE-2026-22045 was published for github.com/traefik/traefik/v2 (Go) Jan 15, 2026
pavelkohout396
Credited to pavelkohout396
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication Moderate
CVE-2025-68671 was published for github.com/treeverse/lakefs (Go) Jan 15, 2026
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE Critical
CVE-2026-23520 was published for github.com/getarcaneapp/arcane/backend (Go) Jan 15, 2026
DenizParlak
Credited to DenizParlak
Zitadel has a user enumeration vulnerability in Login UIs Moderate
CVE-2026-23511 was published for github.com/zitadel/zitadel (Go) Jan 15, 2026
IAM-marco livio-a
Credited to IAM-marco and livio-a
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface High
CVE-2025-66292 was published for github.com/donknap/dpanel (Go) Jan 15, 2026
pyroxenites
Credited to pyroxenites
chi has an open redirect vulnerability in the RedirectSlashes middleware Moderate
GHSA-mqqf-5wvp-8fh8 was published for github.com/go-chi/chi (Go) Jan 14, 2026
thanosgn
Credited to thanosgn
go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message High
CVE-2026-22868 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
Yenya030
Credited to Yenya030
go-ethereum is vulnerable to DoS via malicious p2p message affecting a vulnerable node High
CVE-2026-22862 was published for github.com/ethereum/go-ethereum (Go) Jan 13, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database