Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,029 advisories

Loading
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Moderate
CVE-2026-55636 was published for github.com/projectcapsule/capsule (Go) Jun 17, 2026
character-s Credited to character-s
Gitea: Open Redirect via redirect_to Moderate
CVE-2026-25779 was published for github.com/go-gitea/gitea (Go) Jun 17, 2026
quirmz Credited to quirmz
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join Moderate
CVE-2026-54324 was published for github.com/daytonaio/daytona (Go) Jun 17, 2026
vnth4nhnt Credited to vnth4nhnt
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Gitea: Token scope bypass on web archive download endpoint Moderate
CVE-2026-20706 was published for code.gitea.io/gitea (Go) Jun 16, 2026
geoo115 Credited to geoo115
Gitea: Missing repository-unit authorization on issue-template API endpoints Moderate
CVE-2026-27783 was published for code.gitea.io/gitea (Go) Jun 16, 2026
hoangperry Credited to hoangperry
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw Moderate
CVE-2026-25714 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Medoedus Credited to Medoedus
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gogs: Overwriting critical files results in a denial of service High
CVE-2026-52797 was published for gogs.io/gogs (Go) Jun 16, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles High
CVE-2026-54322 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
vnth4nhnt Credited to vnth4nhnt and mrknight-n1du mrknight-n1du mrknight-n1du
Caddy: stripHTML template function bypass Moderate
CVE-2026-52846 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
jmrcsnchz Credited to jmrcsnchz
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Caddy: Windows `file_server` path authorization bypass via encoded backslash High
CVE-2026-52844 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Daytona: Public sandbox previews remain accessible for up to one hour after being made private High
CVE-2026-54321 was published for github.com/daytonaio/daytona (Go) Jun 16, 2026
mrknight-n1du Credited to mrknight-n1du
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts High
CVE-2026-53622 was published for Traefik (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki
Hugo: Symlink confinement bypass in resources.Get Moderate
CVE-2026-50135 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
unknownhad Credited to unknownhad
Hugo: security.http.urls allow-list bypass via HTTP redirects Moderate
CVE-2026-50134 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
unknownhad Credited to unknownhad
Hugo: XSS via text/html content files Moderate
CVE-2026-50133 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
jmooring Credited to jmooring
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass High
CVE-2026-48491 was published for Traefik (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database