Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,246
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,467 advisories

Loading
NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2026-30048 was published for @developer.notchatbot/webchat (npm) Mar 18, 2026
Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation High
CVE-2026-33002 was published for org.jenkins-ci.main:jenkins-core (Maven) Mar 18, 2026
Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files Moderate
CVE-2026-33003 was published for org.jenkins-ci.plugins:loadninja (Maven) Mar 18, 2026
Avo has a XSS vulnerability on `return_to` param Moderate
CVE-2026-33209 was published for avo (RubyGems) Mar 18, 2026
timwis Credited to timwis
Improper detection of disallowed URIs by Loofah `allowed_uri?` Low
GHSA-46fp-8f5p-pf2m was published for loofah (RubyGems) Mar 18, 2026
Out-of-Bounds Slice Access in free5GC CHF Leading to DoS High
CVE-2026-32937 was published for github.com/free5gc/chf (Go) Mar 18, 2026
LinZiyuu Credited to LinZiyuu
socket.io allows an unbounded number of binary attachments High
CVE-2026-33151 was published for socket.io-parser (npm) Mar 18, 2026
x4cc3 Credited to x4cc3 and darrachequesne darrachequesne darrachequesne
Zitadel is missing enforcement of organization scopes Moderate
CVE-2026-33132 was published for github.com/zitadel/zitadel (Go) Mar 18, 2026
peintnermax Credited to peintnermax, grvijayan, wim07101993, livio-a, and motoki317 grvijayan grvijayan
wim07101993 wim07101993 livio-a livio-a motoki317 motoki317
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters High
CVE-2026-33142 was published for oneuptime (npm) Mar 18, 2026
vnykmshr Credited to vnykmshr
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation Moderate
CVE-2026-33081 was published for github.com/pinchtab/pinchtab (Go) Mar 18, 2026
Yesuhei Credited to Yesuhei
Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution Moderate
CVE-2026-33140 was published for pyspector (pip) Mar 18, 2026
satoridev01 Credited to satoridev01
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution High
CVE-2026-33139 was published for pyspector (pip) Mar 18, 2026
Shinigami81 Credited to Shinigami81
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read Moderate
GHSA-wr4h-v87w-p3r7 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
h3 has a middleware bypass with one gadget High
CVE-2026-33131 was published for h3 (npm) Mar 18, 2026
hibwyli Credited to hibwyli
h3 has an observable timing discrepancy in basic auth utils Moderate
CVE-2026-33129 was published for h3 (npm) Mar 18, 2026
simonkoeck Credited to simonkoeck
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields High
CVE-2026-33128 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
pypdf has inefficient decoding of array-based streams Moderate
CVE-2026-33123 was published for pypdf (pip) Mar 18, 2026
kule500 Credited to kule500 and stefan6419846 stefan6419846 stefan6419846
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class Moderate
CVE-2026-1323 was published for cpsit/typo3-mailqueue (Composer) Mar 18, 2026
eliashaeussler Credited to eliashaeussler
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas Moderate
GHSA-87v3-4cfp-cm76 was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas Moderate
GHSA-qq9g-96v4-m3cj was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing) High
GHSA-8mpm-q7mh-8fvh was published for @capgo/cli (npm) Mar 18, 2026
Judel777 Credited to Judel777
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Frigte has broken access control viewer user can delete admin and other users account High
CVE-2026-33125 was published for frigate (pip) Mar 18, 2026
czerlun Credited to czerlun
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database