Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,044
Maven
5,000+
npm
4,782
NuGet
825
pip
4,382
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

22 advisories

Loading
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations Moderate
CVE-2026-22728 was published for github.com/bitnami-labs/sealed-secrets (Go) Feb 26, 2026
1seal Credited to 1seal
Caddy is vulnerable to cross-origin config application via local admin API /load Moderate
CVE-2026-27589 was published for github.com/caddyserver/caddy/v2 (Go) Feb 24, 2026
1seal Credited to 1seal
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal Credited to 1seal
Trivy Action has a script injection via sourced env file in composite action Moderate
CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions) Feb 18, 2026
1seal Credited to 1seal, DmitriyLewen, and simar7 DmitriyLewen DmitriyLewen
simar7 simar7
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic Low
GHSA-vhvq-fv9f-wh4q was published for github.com/authzed/spicedb (Go) Feb 6, 2026
1seal Credited to 1seal
melange has a path traversal in license-path which allows reading files outside workspace Moderate
CVE-2026-25145 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal Credited to 1seal, sil2100, antitree, egibs, and eslerm sil2100 sil2100
antitree antitree egibs egibs eslerm eslerm
melange affected by potential host command execution via license-check YAML mode patch pipeline High
CVE-2026-25143 was published for chainguard.dev/melange (Go) Feb 4, 2026
1seal Credited to 1seal, egibs, sil2100, and antitree egibs egibs
sil2100 sil2100 antitree antitree
apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams High
CVE-2026-25140 was published for chainguard-dev/apko (Go) Feb 4, 2026
1seal Credited to 1seal, egibs, antitree, and jdolitsky egibs egibs
antitree antitree jdolitsky jdolitsky
apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams Moderate
CVE-2026-25122 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal Credited to 1seal, egibs, antitree, and jdolitsky egibs egibs
antitree antitree jdolitsky jdolitsky
apko has a path traversal in apko dirFS which allows filesystem writes outside base High
CVE-2026-25121 was published for chainguard.dev/apko (Go) Feb 3, 2026
1seal Credited to 1seal, jdolitsky, antitree, xornivore, eslerm, egibs, and stevebeattie jdolitsky jdolitsky
antitree antitree xornivore xornivore eslerm eslerm egibs egibs stevebeattie stevebeattie
melange pipeline working-directory could allow command injection High
CVE-2026-24844 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal Credited to 1seal, antitree, egibs, 89luca89, and eslerm antitree antitree
egibs egibs 89luca89 89luca89 eslerm eslerm
melange QEMU runner could write files outside workspace directory High
CVE-2026-24843 was published for chainguard.dev/melange (Go) Feb 3, 2026
1seal Credited to 1seal, antitree, egibs, 89luca89, and eslerm antitree antitree
egibs egibs 89luca89 89luca89 eslerm eslerm
cert-manager-controller DoS via Specially Crafted DNS Response Moderate
CVE-2026-25518 was published for github.com/cert-manager/cert-manager (Go) Feb 2, 2026
1seal Credited to 1seal and SgtCoDFish SgtCoDFish SgtCoDFish
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction Moderate
CVE-2026-24846 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal Credited to 1seal, egibs, antitree, stevebeattie, and eslerm egibs egibs
antitree antitree stevebeattie stevebeattie eslerm eslerm
malcontent OCI image pull credential exfiltration via malicious registry token realm Moderate
CVE-2026-24845 was published for github.com/chainguard-dev/malcontent (Go) Jan 29, 2026
1seal Credited to 1seal, egibs, antitree, stevebeattie, and eslerm egibs egibs
antitree antitree stevebeattie stevebeattie eslerm eslerm
go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names Moderate
CVE-2026-24686 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 26, 2026
1seal Credited to 1seal, rdimitrov, and kommendorkapten rdimitrov rdimitrov
kommendorkapten kommendorkapten
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal Moderate
CVE-2026-24137 was published for github.com/sigstore/sigstore (Go) Jan 22, 2026
1seal Credited to 1seal
Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL Moderate
CVE-2026-24117 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal Credited to 1seal
Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message Moderate
CVE-2026-23831 was published for github.com/sigstore/rekor (Go) Jan 22, 2026
1seal Credited to 1seal
go-tuf improperly validates the configured threshold for delegations Moderate
CVE-2026-23992 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal Credited to 1seal, kommendorkapten, and rdimitrov kommendorkapten kommendorkapten
rdimitrov rdimitrov
go-tuf affected by client DoS via malformed server response Moderate
CVE-2026-23991 was published for github.com/theupdateframework/go-tuf/v2 (Go) Jan 21, 2026
1seal Credited to 1seal, kommendorkapten, and rdimitrov kommendorkapten kommendorkapten
rdimitrov rdimitrov
Cosign verification accepts any valid Rekor entry under certain conditions Moderate
CVE-2026-22703 was published for github.com/sigstore/cosign/v2 (Go) Jan 13, 2026
1seal Credited to 1seal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database