Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,361 advisories

Loading
Fleet's user account creation via invite does not enforce invited email address Moderate
CVE-2026-34389 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint Moderate
CVE-2026-34388 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin Moderate
CVE-2026-34386 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
prateek-0490 Credited to prateek-0490
Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database Moderate
CVE-2026-34385 was published for github.com/fleetdm/fleet/v4 (Go) Mar 30, 2026
prateek-0490 Credited to prateek-0490
go-git: Maliciously crafted idx file can cause asymmetric memory consumption Moderate
CVE-2026-34165 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) Moderate
CVE-2026-33990 was published for github.com/docker/model-runner (Go) Mar 30, 2026
davidrxchester Credited to davidrxchester
go-git missing validation decoding Index v4 files leads to panic Low
CVE-2026-33762 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover Critical
CVE-2026-33032 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
yotampe-pluto Credited to yotampe-pluto
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval Moderate
CVE-2026-33029 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse High
CVE-2026-33028 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation Moderate
CVE-2026-33027 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
nginx-ui Backup Restore Allows Tampering with Encrypted Backups Critical
CVE-2026-33026 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) High
CVE-2026-27018 was published for github.com/gotenberg/gotenberg/v8 (Go) Mar 30, 2026
q1uf3ng Credited to q1uf3ng
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted High
GHSA-c279-989m-238f was published for github.com/bishopfox/sliver (Go) Mar 29, 2026
VarshankNaik Credited to VarshankNaik
XPath: Boolean expression infinite loop leads to denial of service via CPU exhaustion High
CVE-2026-32287 was published for github.com/antchfx/xpath (Go) Mar 29, 2026
MinIO is Vulnerable to SSE Metadata Injection via Replication Headers High
CVE-2026-34204 was published for github.com/minio/minio (Go) Mar 27, 2026
harshavardhana Credited to harshavardhana, donatello, and shtripat donatello donatello
shtripat shtripat
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField Moderate
CVE-2026-33433 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
0xVijay Credited to 0xVijay
Flannel has cross-node remote code execution via extension backend BackendData injection High
CVE-2026-32241 was published for github.com/flannel-io/flannel (Go) Mar 27, 2026
shachartal Credited to shachartal
A Fleet team maintainer can transfer hosts from any team via missing source team authorization Moderate
CVE-2026-29180 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
prateek-0490 Credited to prateek-0490
act: actions/cache server allows malicious cache injection High
CVE-2026-34042 was published for github.com/nektos/act (Go) Mar 27, 2026
programmerjake Credited to programmerjake
act: Unrestricted set-env and add-path command processing enables environment injection High
CVE-2026-34041 was published for github.com/nektos/act (Go) Mar 27, 2026
golang-not-rust Credited to golang-not-rust
Fleet's unbounded request body read allows remote Denial of Service High
CVE-2026-26061 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
MagnusHJensen Credited to MagnusHJensen
Fleet: Password reset tokens remain valid after password change for 24 hours Moderate
CVE-2026-26060 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database