GitHub Security Advisories filed and tracked. Four are public. Each advisory cross-references its CVE record where one exists, and the upstream commit when there is one.
system.run env override RCE — allowlist bypass via GIT_SSH_COMMAND, editor hooks, GIT_CONFIG_*
SimpleAsyncHTTPClient forwards Authorization & Cookie headers across origins on 3xx redirect — credentials leak to a different host. Fixed in 6.5.6.
Incomplete privilege-escalation patch — editUser() and updateUserRights() remain unguarded; an admin with only edit_user can self-grant SuperAdmin. Fixed in 4.1.4.
SecretsVerifier accepts an empty signing secret without precondition — request-signature verification silently passes when the secret is unset, letting forged Slack requests validate. github.com/slack-go/slack.
An advisory under embargo is not a finding being hidden. It is a finding being held until the people who use the affected software can update without becoming targets in the window between disclosure and patch.
When a finding is under embargo, there is an open coordination channel with the upstream maintainer, an agreed disclosure date tied to the patch ship date, and — where the maintainer is unresponsive — a hard fallback at 90 days. It is not the absence of work; it's the presence of patience.
Once published, the row populates with the full advisory ID, the CVSS score, the affected versions, and the patch reference. Subscribe to the GitHub advisories feed if you want to be notified the moment that happens.