Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,295 advisories

Loading
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching Moderate
CVE-2026-33248 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers Moderate
CVE-2026-33246 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing Moderate
CVE-2026-33223 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS allows MQTT clients to bypass ACL checks High
CVE-2026-33217 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS has MQTT plaintext password disclosure High
CVE-2026-33216 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to MQTT hijacking via Client ID Moderate
CVE-2026-33215 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server panic via malicious compression on leafnode port High
CVE-2026-29785 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS credentials are exposed in monitoring port via command-line argv High
CVE-2026-33247 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Message tracing can be redirected to arbitrary subject Moderate
CVE-2026-33249 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl Moderate
CVE-2026-33619 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
GHSA-7789-65hx-f26w was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
Trivy ecosystem supply chain was briefly compromised Critical
CVE-2026-33634 was published for aquasecurity/setup-trivy (GitHub Actions) Mar 24, 2026
GoDoxy has a Path Traversal Vulnerability in its File API Moderate
CVE-2026-33528 was published for github.com/yusing/godoxy (Go) Mar 24, 2026
ormzro Credited to ormzro
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting Low
CVE-2026-33525 was published for github.com/authelia/authelia/v4 (Go) Mar 24, 2026
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check Moderate
CVE-2026-30886 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
Mistz1 Credited to Mistz1 and Calcium-Ion Calcium-Ion Calcium-Ion
New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure Moderate
CVE-2026-32879 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
asdf2adsfad Credited to asdf2adsfad and seefs001 seefs001 seefs001
NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter Moderate
CVE-2026-3864 was published for github.com/kubernetes-csi/csi-driver-nfs (Go) Mar 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database