Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

3,967 advisories

Loading
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt High
GHSA-rm5c-5x2p-48wr was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
ch4r0utf8 Credited to ch4r0utf8
klever-go: REST API slow-header connection exhaustion via Gin Engine.Run High
GHSA-w4c6-7r69-w7j9 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS High
GHSA-hf2g-6j7h-98wg was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
estensen Credited to estensen
Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS Moderate
CVE-2026-49343 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
maiiquynhh Credited to maiiquynhh
Source controller: Improper path handling allows traversal Moderate
CVE-2026-47680 was published for github.com/fluxcd/source-controller (Go) Jun 5, 2026
hiddeco Credited to hiddeco
Klever-Go KVM: Hash-array amplification in P2P resolver request handling High
CVE-2026-47249 was published for github.com/klever-io/klever-go (Go) Jun 5, 2026
leduckhuong Credited to leduckhuong
Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService High
CVE-2026-45726 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic Low
CVE-2026-45723 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token High
CVE-2026-45720 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle Moderate
CVE-2026-47703 was published for github.com/AdguardTeam/AdGuardHome (Go) Jun 4, 2026
N0zoM1z0 Credited to N0zoM1z0
OpenMeter: SQL injection through meter creation Moderate
CVE-2026-8462 was published for github.com/openmeterio/openmeter (Go) Jun 4, 2026
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets Moderate
CVE-2026-47671 was published for github.com/nhost/nhost (Go) Jun 4, 2026
sondt99 Credited to sondt99
Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS) High
GHSA-74m6-4hjp-7226 was published for github.com/klever-io/klever-go (Go) Jun 4, 2026
LoG1331 Credited to LoG1331
Singluarity: Incorrect path matching for 'limit container paths' directive Moderate
CVE-2026-47215 was published for github.com/sylabs/singularity (Go) Jun 4, 2026
dtrudg Credited to dtrudg
Nuclio: Missing authorization on project write paths allows any authenticated user to modify or delete any project High
CVE-2026-45730 was published for github.com/nuclio/nuclio (Go) Jun 4, 2026
j311yl0v3u Credited to j311yl0v3u and b0b0haha b0b0haha b0b0haha
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion Moderate
CVE-2026-40898 was published for github.com/quic-go/quic-go (Go) Jun 3, 2026
Nezha's authenticated agents can forge service-monitor results for other users' services High
CVE-2026-48119 was published for github.com/nezhahq/nezha (Go) Jun 1, 2026
sondt99 Credited to sondt99
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host Moderate
CVE-2026-47268 was published for github.com/nezhahq/nezha (Go) May 29, 2026
sondt99 Credited to sondt99
Authelia Missing Username Canonicalization in Basic Auth (LDAP) Low
CVE-2026-47203 was published for github.com/authelia/authelia/v4 (Go) May 29, 2026
Nadav0077 Credited to Nadav0077, james-d-elliott, nightah, and Crowley723 james-d-elliott james-d-elliott
nightah nightah Crowley723 Crowley723
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user High
CVE-2026-47201 was published for goauthentik.io (Go) May 29, 2026
go-git: Malformed Git object data may cause panics or resource exhaustion Moderate
GHSA-w5pp-99ch-qj29 was published for github.com/go-git/go-git/v5 (Go) May 29, 2026
hiddeco Credited to hiddeco, N0zoM1z0, AyushParkara, and kodareef5 N0zoM1z0 N0zoM1z0
AyushParkara AyushParkara kodareef5 kodareef5
CAPM3 vulnerable to Cross-Namespace resource access Moderate
GHSA-rf84-wr5g-m3rp was published for github.com/metal3-io/cluster-api-provider-metal3 (Go) May 29, 2026
IPAM controller service account granted unnecessary full access to Secrets Moderate
CVE-2026-47190 was published for github.com/metal3-io/ip-address-manager (Go) May 29, 2026
Ironic Standalone Operator's controller modifies user-owned resources without consent Moderate
GHSA-hfc8-w5f4-3x6m was published for github.com/metal3-io/ironic-standalone-operator (Go) May 29, 2026
Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces Moderate
GHSA-7cwm-fpfh-rrch was published for github.com/metal3-io/ironic-standalone-operator (Go) May 29, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database