GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,298 advisories
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
Moderate
CVE-2026-23849
was published
for
github.com/filebrowser/filebrowser
(Go)
Jan 21, 2026
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API
Moderate
CVE-2026-23845
was published
for
github.com/axllent/mailpit
(Go)
Jan 21, 2026
Mailpit has an SMTP Header Injection via Regex Bypass
Moderate
CVE-2026-23829
was published
for
github.com/axllent/mailpit
(Go)
Jan 20, 2026
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Moderate
CVE-2026-23645
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 16, 2026
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Moderate
CVE-2026-22045
was published
for
github.com/traefik/traefik/v2
(Go)
Jan 15, 2026
Zitadel has a user enumeration vulnerability in Login UIs
Moderate
CVE-2026-23511
was published
for
github.com/zitadel/zitadel
(Go)
Jan 15, 2026
chi has an open redirect vulnerability in the RedirectSlashes middleware
Moderate
GHSA-mqqf-5wvp-8fh8
was published
for
github.com/go-chi/chi
(Go)
Jan 14, 2026
Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass
Moderate
CVE-2026-22772
was published
for
github.com/sigstore/fulcio
(Go)
Jan 13, 2026
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Moderate
CVE-2026-22689
was published
for
github.com/axllent/mailpit
(Go)
Jan 13, 2026
Cosign verification accepts any valid Rekor entry under certain conditions
Moderate
CVE-2026-22703
was published
for
github.com/sigstore/cosign/v2
(Go)
Jan 13, 2026
Soft Serve is missing an authorization check in LFS lock deletion
Moderate
CVE-2026-22253
was published
for
github.com/charmbracelet/soft-serve
(Go)
Jan 8, 2026
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages
Moderate
CVE-2025-68151
was published
for
github.com/coredns/coredns
(Go)
Jan 8, 2026
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
Moderate
CVE-2026-21885
was published
for
miniflux.app/v2
(Go)
Jan 7, 2026
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
Moderate
CVE-2026-21859
was published
for
github.com/axllent/mailpit
(Go)
Jan 6, 2026
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass
Moderate
GHSA-hjr9-wj7v-7hv8
was published
for
github.com/bishopfox/sliver
(Go)
Jan 5, 2026
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Moderate
CVE-2026-21483
was published
for
github.com/knadh/listmonk
(Go)
Jan 2, 2026
ProTip!
Advisories are also available from the
GraphQL API