GO-2026-4310 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails in github.com/axllent/mailpit

Mailpit is vulnerable to Cross-Site WebSocket Hijacking CSWSH allowing unauthenticated access to emails in github.com/axllent/mailpit. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2026-4318 DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface in github.com/donknap/dpanel

DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface in github.com/donknap/dpanel...

GO-2026-4312 Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway

Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway...

CVE-2026-26188

creationtimestamp| type| source ---|---|--- 2026-01-22 20:23:37+00:00| published-proof-of-concept| https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9...

RHSA-2026:1014

creationtimestamp| type| source ---|---|--- 2026-01-22 15:51:22+00:00| seen| https://gist.github.com/Darkcrai86/78d8b8337436d9ef75bd692938a1f1d2...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:seroval is a Stringify JS values Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when serializing objects with very large depth. An attacker can cause resource exhaustion and disrupt service availability by submitti...

AZL-75189 CVE-2026-23992 affecting package gh 2.62.0-10

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

Azure Linux 3.0 Security Update: gh (CVE-2024-52308)

The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-52308 advisory. - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace S...

Azure Linux 3.0 Security Update: gh (CVE-2025-48938)

The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-48938 advisory. - go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has...

Azure Linux 3.0 Security Update: gh (CVE-2025-25204)

The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-25204 advisory. - gh is GitHub's official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:seroval is a Stringify JS values Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the encoded array lengths serialization process. An attacker can cause excessive processing time by overriding encoded array lengt...

CVE-2024-55025

creationtimestamp| type| source ---|---|--- 2026-01-21 10:01:35+00:00| seen| https://gist.github.com/AenganZ/f86ed0da28825a1432ec697f484622de...

CVE-2024-55027

creationtimestamp| type| source ---|---|--- 2026-01-21 10:01:35+00:00| seen| https://gist.github.com/AenganZ/f86ed0da28825a1432ec697f484622de...

CVE-2025-11580

creationtimestamp| type| source ---|---|--- 2026-01-21 06:39:57+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2025/CVE-2025-11580.yaml 2026-01-22 21:03:05+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3md23iwotwa24...

AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent

Triaging security alerts is often very repetitive because false positives are caused by patterns that are obvious to a human auditor but difficult to encode as a formal code pattern. But large language models LLMs excel at matching the fuzzy patterns that traditional tools struggle with, so we at...

GHSA-JM66-CG57-JJV5 vulnerabilities

Vulnerabilities for packages: authentik-fips, request-1276, open-webui, duplicity, py3-cassandra-medusa, kserve, airflow, pgadmin4, awx, barman, az, authentik...

North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code VS Code projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new...

GHSA-73RR-HH4G-FPGX vulnerabilities

Vulnerabilities for packages: grafana, vitess, tileserver-gl, langfuse, npm, ts-patch, saf, argo-workflows, renovate, prism...

CVE-2025-14351

creationtimestamp| type| source ---|---|--- 2026-01-20 06:33:14+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mctjxqpcoc2i 2026-01-20 07:51:41+00:00| seen| https://gist.github.com/Darkcrai86/9a0fa1b491739b4e729d80465cb99f43...

CVE-2020-15081

creationtimestamp| type| source ---|---|--- 2026-01-20 03:57:37+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2020/CVE-2020-15081.yaml 2026-01-23 21:02:59+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3md4lxp2srt2i...