Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,475 advisories

Loading
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Scriban Affected by Memory Exhaustion (OOM) via Unbounded String Generation (Denial of Service) Moderate
GHSA-5rpf-x9jg-8j5p was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-grr9-747v-xvcp was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-wgh7-7m3c-fx25 was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI Moderate
CVE-2026-4267 was published for johnbillion/query-monitor (Composer) Mar 19, 2026
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php` High
CVE-2026-33354 was published for wwbn/avideo (Composer) Mar 19, 2026
gr00ve3 Credited to gr00ve3
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) Critical
CVE-2026-33352 was published for wwbn/avideo (Composer) Mar 19, 2026
iconnnjka Credited to iconnnjka
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG High
CVE-2026-33344 was published for github.com/dagu-org/dagu (Go) Mar 19, 2026
vnykmshr Credited to vnykmshr
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass Critical
CVE-2026-33351 was published for wwbn/avideo (Composer) Mar 19, 2026
iconnnjka Credited to iconnnjka
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
restriction Credited to restriction
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion Moderate
CVE-2026-33332 was published for nicegui (pip) Mar 19, 2026
aest3ra Credited to aest3ra, oxqnd, mjkim610, evnchn, Khaliun-sw1, and falkoschindler oxqnd oxqnd
mjkim610 mjkim610 evnchn evnchn Khaliun-sw1 Khaliun-sw1 falkoschindler falkoschindler
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) Moderate
CVE-2026-33326 was published for @keystone-6/core (npm) Mar 19, 2026
n0wsh Credited to n0wsh
Packetbeat does not properly validate an array index in multiple protocol parser components Moderate
CVE-2026-26933 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
PyMuPDF has a path traversal in _main_.py Moderate
CVE-2026-3029 was published for PyMuPDF (pip) Mar 19, 2026
Metricbeat Allocates Memory with Excessive Size Value Leading to Denial of Service Moderate
CVE-2026-26931 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
Parse Server email verification resend page leaks user existence Moderate
CVE-2026-33323 was published for parse-server (npm) Mar 19, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version High
GHSA-2mhw-8qcg-gr96 was published for skia-python (pip) Mar 19, 2026
MinIO has JWT Algorithm Confusion in OIDC Authentication Critical
CVE-2026-33322 was published for github.com/minio/minio (Go) Mar 19, 2026
KoreaSecurity Credited to KoreaSecurity, donatello, harshavardhana, and taran-p donatello donatello
harshavardhana harshavardhana taran-p taran-p
Improper Authentication and Origin Validation Error in pyload-ng Moderate
CVE-2026-33314 was published for pyload-ng (pip) Mar 19, 2026
Jaynornj Credited to Jaynornj
bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby Moderate
CVE-2026-33306 was published for bcrypt (RubyGems) Mar 19, 2026
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
restriction Credited to restriction
Ella Core panics on malformed ULNASTransport Message without a Request Type Moderate
CVE-2026-33283 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database