Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,475 advisories

Loading
pypdf has inefficient decoding of array-based streams Moderate
CVE-2026-33123 was published for pypdf (pip) Mar 18, 2026
kule500 Credited to kule500 and stefan6419846 stefan6419846 stefan6419846
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class Moderate
CVE-2026-1323 was published for cpsit/typo3-mailqueue (Composer) Mar 18, 2026
eliashaeussler Credited to eliashaeussler
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas Moderate
GHSA-87v3-4cfp-cm76 was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas Moderate
GHSA-qq9g-96v4-m3cj was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing) High
GHSA-8mpm-q7mh-8fvh was published for @capgo/cli (npm) Mar 18, 2026
Judel777 Credited to Judel777
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Frigte has broken access control viewer user can delete admin and other users account High
CVE-2026-33125 was published for frigate (pip) Mar 18, 2026
czerlun Credited to czerlun
UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop High
CVE-2026-32875 was published for ujson (pip) Mar 18, 2026
vmfunc Credited to vmfunc and bwoodsend bwoodsend bwoodsend
UltraJSON has a Memory Leak parsing large integers allows DoS High
CVE-2026-32874 was published for ujson (pip) Mar 18, 2026
Skevros Credited to Skevros and bwoodsend bwoodsend bwoodsend
Heimdall: Path received via Envoy gRPC corrupted when containing query string High
CVE-2026-32811 was published for github.com/dadrus/heimdall (Go) Mar 18, 2026
Kakadus Credited to Kakadus
Denial of service in github.com/jackc/pgproto3/v2 High
GHSA-jqcq-xjh3-6g23 was published for github.com/jackc/pgproto3/v2 (Go) Mar 18, 2026
Denial of service in github.com/buger/jsonparser High
GHSA-6g7g-w4f8-9c9x was published for github.com/buger/jsonparser (Go) Mar 18, 2026
westonsteimel Credited to westonsteimel
Denial of service in github.com/shamaton/msgpack High
GHSA-h9q6-hc68-35rp was published for github.com/shamaton/msgpack/v2 (Go) Mar 18, 2026
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks Moderate
CVE-2026-33060 was published for @aborruso/ckan-mcp-server (npm) Mar 18, 2026
abcgco Credited to abcgco
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. High
CVE-2026-32763 was published for kysely (npm) Mar 18, 2026
EthanKim88 Credited to EthanKim88 and igalklebanov igalklebanov igalklebanov
File Browser has an Authorization Policy Bypass in Public Share Download Flow Moderate
CVE-2026-32761 was published for https://github.com/filebrowser/filebrowser (Go) Mar 18, 2026
Ahmad-jarwan Credited to Ahmad-jarwan and hacdias hacdias hacdias
Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121 Moderate
GHSA-594f-3595-c47v was published for github.com/argoproj-labs/terraform-provider-argocd (Go) Mar 18, 2026
Langflow is Missing Ownership Verification in API Key Deletion (IDOR) High
CVE-2026-33053 was published for langflow (pip) Mar 18, 2026
FaizanKolega Credited to FaizanKolega, kolega-ai-dev, andifilhohub, and erichare kolega-ai-dev kolega-ai-dev
andifilhohub andifilhohub erichare erichare
Craft CMS Vulnerable to Stored XSS in Revision Context Menu Moderate
CVE-2026-33051 was published for craftcms/cms (Composer) Mar 18, 2026
Neosprings Credited to Neosprings
Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite Moderate
CVE-2026-1217 was published for yoast/duplicate-post (Composer) Mar 18, 2026
ictbeheer Credited to ictbeheer
SQL Injection in Spring AI MariaDBFilterExpressionConverter High
CVE-2026-22730 was published for org.springframework.ai:spring-ai-mariadb-store (Maven) Mar 18, 2026
JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter High
CVE-2026-22729 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 18, 2026
Keycloak: Denial of Service due to excessive SAMLRequest decompression Moderate
CVE-2026-2575 was published for org.keycloak:keycloak-saml-adapter-core (Maven) Mar 18, 2026
Keycloak: Unauthorized authentication via disabled SAML Identity Provider High
CVE-2026-2603 was published for org.keycloak:keycloak-server-spi-private (Maven) Mar 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database