GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,294 advisories
OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex
High
GHSA-pxq7-h93f-9jrg
was published
for
github.com/oauth2-proxy/oauth2-proxy/v7
(Go)
Apr 15, 2026
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
High
GHSA-hv4r-mvr4-25vw
was published
for
github.com/minio/minio
(Go)
Apr 14, 2026
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
High
CVE-2026-40890
was published
for
github.com/gomarkdown/markdown
(Go)
Apr 14, 2026
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
High
CVE-2026-4789
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write
High
CVE-2026-40090
was published
for
github.com/zarf-dev/zarf
(Go)
Apr 14, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
High
CVE-2026-40885
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
SFTP root escape via prefix-based path validation in goshs
High
CVE-2026-40876
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach
High
GHSA-fmqp-4wfc-w3v7
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF
High
GHSA-qr4g-8hrp-c4rw
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions
High
CVE-2026-40248
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions
High
CVE-2026-40247
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions
High
CVE-2026-40246
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication
High
CVE-2026-40245
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads
High
GHSA-9c4q-hq6p-c237
was published
for
github.com/minio/minio
(Go)
Apr 14, 2026
In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
High
CVE-2026-40481
was published
for
github.com/monetr/monetr
(Go)
Apr 14, 2026
Note Mark has Stored XSS via Unrestricted Asset Upload
High
CVE-2026-40262
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
Maddy Mail Server has an LDAP Filter Injection via Unsanitized Username
High
CVE-2026-40193
was published
for
github.com/foxcpp/maddy
(Go)
Apr 13, 2026
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
High
CVE-2026-34984
was published
for
github.com/external-secrets/external-secrets
(Go)
Apr 13, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
High
CVE-2026-40242
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
Apr 10, 2026
goshs is Missing Write Protection for Parametric Data Values
High
CVE-2026-40188
was published
for
github.com/patrickhener/goshs
(Go)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API