Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,475 advisories

Loading
Parse Server crash via deeply nested query condition operators High
CVE-2026-32944 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to Moderate
CVE-2026-32700 was published for devise (RubyGems) Mar 17, 2026
grantcox Credited to grantcox and albinowax albinowax albinowax
ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash Moderate
CVE-2026-32636 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 17, 2026
fumfel Credited to fumfel
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS High
CVE-2026-32254 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Mar 17, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
jsPDF has HTML Injection in New Window paths Critical
CVE-2026-31938 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
jsPDF has a PDF Object Injection via FreeText color High
CVE-2026-31898 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() High
CVE-2026-31891 was published for cockpit-hq/cockpit (Composer) Mar 17, 2026
ffasterss Credited to ffasterss
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices High
CVE-2026-33013 was published for io.micronaut:micronaut-json-core (Maven) Mar 17, 2026
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
Denial of Service in pyasn1 via Unbounded Recursion High
CVE-2026-30922 was published for pyasn1 (pip) Mar 17, 2026
romanticpragmatism Credited to romanticpragmatism
Next.js: HTTP request smuggling in rewrites Moderate
CVE-2026-29057 was published for next (npm) Mar 17, 2026
Next.js: Unbounded next/image disk cache growth can exhaust storage Moderate
CVE-2026-27980 was published for next (npm) Mar 17, 2026
Next.js: Unbounded postponed resume buffering can lead to DoS Moderate
CVE-2026-27979 was published for next (npm) Mar 17, 2026
Katello: Denial of Service and potential information disclosure via SQL injection Moderate
CVE-2026-4324 was published for katello (RubyGems) Mar 17, 2026
Next.js: null origin can bypass Server Actions CSRF checks Moderate
CVE-2026-27978 was published for next (npm) Mar 17, 2026
Next.js: null origin can bypass dev HMR websocket CSRF checks Low
CVE-2026-27977 was published for next (npm) Mar 17, 2026
radu33 Credited to radu33 and xdavidhu xdavidhu xdavidhu
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) Critical
CVE-2026-32940 was published for github.com/siyuan-note/siyuan (Go) Mar 17, 2026
vnykmshr Credited to vnykmshr
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service Critical
CVE-2026-32938 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 17, 2026
TCOTC Credited to TCOTC, YuxinZhaozyx, and 88250 YuxinZhaozyx YuxinZhaozyx
88250 88250
Uncontrolled recursion DoS in JustHTML() via deeply nested HTML High
GHSA-v7cf-c9rm-wm3j was published for justhtml (pip) Mar 17, 2026
kq5y Credited to kq5y
Apache Airflow: DAG authorization bypass Moderate
CVE-2026-28563 was published for apache-airflow (pip) Mar 17, 2026
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications High
CVE-2026-28779 was published for apache-airflow (pip) Mar 17, 2026
Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization High
CVE-2026-30911 was published for apache-airflow (pip) Mar 17, 2026
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata High
CVE-2026-26929 was published for apache-airflow (pip) Mar 17, 2026
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) High
CVE-2026-4208 was published for ralffreit/mfa-email (Composer) Mar 17, 2026
Broken Access Control in extension "Redirect Tab" (redirect_tab) Low
CVE-2026-4202 was published for ayacoo/redirect-tab (Composer) Mar 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database