GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,328 advisories
External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine
High
CVE-2026-34984
was published
for
github.com/external-secrets/external-secrets
(Go)
Apr 13, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
High
CVE-2026-40885
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
SFTP root escape via prefix-based path validation in goshs
High
CVE-2026-40876
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
Juju has a resource poisoning vulnerability
High
CVE-2025-68153
was published
for
github.com/juju/juju
(Go)
Apr 3, 2026
github.com/buger/jsonparser has a denial of service vulnerability
High
CVE-2026-32285
was published
for
github.com/buger/jsonparser
(Go)
Mar 18, 2026
Dapr: Service Invocation path traversal ACL bypass
High
CVE-2026-41491
was published
for
github.com/dapr/dapr
(Go)
Apr 17, 2026
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
High
CVE-2026-33031
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Apr 21, 2026
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
High
CVE-2026-41433
was published
for
go.opentelemetry.io/obi
(Go)
Apr 17, 2026
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
High
CVE-2026-40890
was published
for
github.com/gomarkdown/markdown
(Go)
Apr 14, 2026
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
High
CVE-2026-40611
was published
for
github.com/go-acme/lego
(Go)
Apr 16, 2026
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
High
CVE-2026-30933
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Mar 9, 2026
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
High
CVE-2026-27611
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Feb 25, 2026
Cillium exposes sensitive information included in the cilium-bugtool debug archive
High
CVE-2026-41520
was published
for
github.com/cilium/cilium
(Go)
Apr 25, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
High
GHSA-74m3-9qvm-rp9h
was published
for
github.com/openziti/zrok
(Go)
Apr 25, 2026
MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads
High
CVE-2026-40344
was published
for
github.com/minio/minio
(Go)
Apr 14, 2026
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
High
CVE-2026-40938
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL
High
CVE-2026-41323
was published
for
github.com/kyverno/kyverno
(Go)
Apr 16, 2026
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
High
CVE-2026-41145
was published
for
github.com/minio/minio
(Go)
Apr 14, 2026
ProTip!
Advisories are also available from the
GraphQL API