Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,003 advisories

Loading
filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity Low
CVE-2026-26958 was published for filippo.io/edwards25519 (Go) Feb 18, 2026
WeebDataHoarder shaharcohen1
Credited to WeebDataHoarder and shaharcohen1
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4
Credited to ByamB4
Traefik affected by TLS ClientAuth Bypass on HTTP/3 Critical
GHSA-gv8r-9rw9-9697 was published for github.com/traefik/traefik (Go) Feb 20, 2026
rbqvq
Credited to rbqvq
uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots Low
CVE-2026-27017 was published for github.com/refraction-networking/utls (Go) Feb 18, 2026
uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries Moderate
CVE-2026-26994 was published for github.com/refraction-networking/utls (Go) Apr 23, 2025
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled Moderate
CVE-2026-26963 was published for github.com/cilium/cilium (Go) Feb 19, 2026
julianwiedmann smagnani96
Credited to julianwiedmann and smagnani96
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake Moderate
CVE-2026-26315 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
fengjian
Credited to fengjian
Go Ethereum affected by DoS via malicious p2p message High
CVE-2026-26314 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal
Credited to 1seal
Centrifugo v6.6.0 dependency vulnerabilities Moderate
GHSA-j9wf-6r2x-hqmx was published for github.com/centrifugal/centrifugo/v6 (Go) Feb 19, 2026
samir-is-here
Credited to samir-is-here
Go Ethereum affected by DoS via malicious p2p message Moderate
CVE-2026-26313 was published for github.com/ethereum/go-ethereum (Go) Feb 18, 2026
revofusion
Credited to revofusion
opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path High
CVE-2026-26205 was published for github.com/open-policy-agent/opa-envoy-plugin (Go) Feb 18, 2026
thevilledev
Credited to thevilledev
emp3r0r Affected by Concurrent Map Access DoS (panic/crash) High
CVE-2026-26201 was published for github.com/jm33-m0/emp3r0r/core (Go) Feb 17, 2026
xtle0o0
Credited to xtle0o0
Kata Container to Guest micro VM privilege escalation Moderate
CVE-2026-24834 was published for github.com/kata-containers/kata-containers/src/runtime (Go) Feb 19, 2026
kostya-oai sprt
fidencio stevenhorsman
Credited to kostya-oai, sprt, fidencio, and stevenhorsman
Echo has a Windows path traversal via backslash in middleware.Static default filesystem Moderate
CVE-2026-25766 was published for github.com/labstack/echo/v5 (Go) Feb 17, 2026
shblue21 aldas
vishr
Credited to shblue21, aldas, and vishr
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Gogs has a Protected Branch Deletion Bypass in Web Interface High
CVE-2026-25232 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters
Credited to tenbbughunters
Mattermost fails to enforce invite permissions when updating team settings Low
CVE-2025-14573 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to properly validate team membership when processing channel mentions Moderate
CVE-2025-14350 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to sanitize sensitive data in WebSocket messages Moderate
CVE-2025-13821 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost fails to properly validate login method restrictions Moderate
CVE-2026-0999 was published for github.com/mattermost/mattermost-server (Go) Feb 16, 2026
Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint Moderate
CVE-2026-0998 was published for github.com/mattermost/mattermost-plugin-zoom (Go) Feb 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database