Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,521 advisories

Loading
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex High
GHSA-pxq7-h93f-9jrg was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
rootxharsh Credited to rootxharsh
OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims Moderate
CVE-2026-40574 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
kodareef5 Credited to kodareef5
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing Critical
CVE-2026-40575 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 15, 2026
iamnoooob Credited to iamnoooob
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads High
GHSA-hv4r-mvr4-25vw was published for github.com/minio/minio (Go) Apr 14, 2026
ddd Credited to ddd, harshavardhana, and donatello harshavardhana harshavardhana
donatello donatello
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses Low
GHSA-hw5x-4r37-72w7 was published for github.com/opentofu/opentofu (Go) Apr 14, 2026
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control Moderate
GHSA-pq96-pwvg-vrr9 was published for github.com/fatedier/frp (Go) Apr 14, 2026
0wnerDied Credited to 0wnerDied
Oxia's TLS CA certificate chain validation fails with multi-certificate PEM bundles High
GHSA-7jrq-q4pq-rhm6 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia affected by server crash via race condition in session heartbeat handling High
GHSA-5gqc-qhrj-9xw8 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia has an OIDC token audience validation bypass via SkipClientIDCheck Critical
GHSA-fhvp-9hcj-6m33 was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
Oxia exposes bearer token in debug log messages on authentication failure High
GHSA-pm7q-rjjx-979p was published for github.com/oxia-db/oxia (Go) Apr 14, 2026
SiYuan has incomplete fix for CVE-2026-33066: XSS Moderate
GHSA-8q5w-mmxf-48jg was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 14, 2026
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint Low
GHSA-7qx6-f23w-3w7f was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
wooseokdotkim Credited to wooseokdotkim
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer High
CVE-2026-40890 was published for github.com/gomarkdown/markdown (Go) Apr 14, 2026
JulesDT Credited to JulesDT
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access High
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
iggypopi Credited to iggypopi and stepanskyigor-orca stepanskyigor-orca stepanskyigor-orca
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs Moderate
CVE-2026-40091 was published for github.com/authzed/spicedb (Go) Apr 14, 2026
miparnisari Credited to miparnisari
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write High
CVE-2026-40090 was published for github.com/zarf-dev/zarf (Go) Apr 14, 2026
joonas Credited to joonas
OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode Critical
CVE-2026-34457 was published for github.com/oauth2-proxy/oauth2-proxy (Go) Apr 14, 2026
iamnoooob Credited to iamnoooob
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page Low
CVE-2026-34454 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 14, 2026
bella-WI Credited to bella-WI and fnoehWM fnoehWM fnoehWM
PowerShell Command Injection in Podman HyperV Machine Moderate
CVE-2026-33414 was published for github.com/containers/podman/v4 (Go) Apr 14, 2026
KoreaSecurity Credited to KoreaSecurity
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access High
CVE-2026-40885 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation Moderate
CVE-2026-40883 was published for github.com/patrickhener/goshs/v2 (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
goshs has an empty-username SFTP password authentication bypass Critical
CVE-2026-40884 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
SFTP root escape via prefix-based path validation in goshs High
CVE-2026-40876 was published for github.com/patrickhener/goshs (Go) Apr 14, 2026
R1ZZG0D Credited to R1ZZG0D
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token High
CVE-2026-40868 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
1seal Credited to 1seal
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach High
GHSA-fmqp-4wfc-w3v7 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database