GitHub Security Advisories filed and tracked. Two are public. Four are under coordinated-disclosure embargo and will appear here when the upstream patch ships. Each advisory cross-references its CVE record where one exists, and the upstream commit when there is one.
SSRF Protection Bypass via HTTP Redirect & DNS Rebinding in isSSRFSafeURL() (CVE-2026-43884)
system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_*
advisory 3
advisory 4
advisory 5
advisory 6
An advisory under embargo is not a finding being hidden. It is a finding being held until the people who use the affected software can update without becoming targets in the window between disclosure and patch.
For each pending row above, there is an open coordination channel with the upstream maintainer, an agreed disclosure date tied to the patch ship date, and — where the maintainer is unresponsive — a hard fallback at 90 days. The dashed entry is not the absence of work; it's the presence of patience.
Once published, the row populates with the full advisory ID, the CVSS score, the affected versions, and the patch reference. Subscribe to the GitHub advisories feed if you want to be notified the moment that happens.