Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,256
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,514
Pub
12
RubyGems
998
Rust
1,191
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,499 advisories

Loading
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass Critical
CVE-2026-33351 was published for wwbn/avideo (Composer) Mar 19, 2026
iconnnjka Credited to iconnnjka
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
restriction Credited to restriction
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion Moderate
CVE-2026-33332 was published for nicegui (pip) Mar 19, 2026
aest3ra Credited to aest3ra, oxqnd, mjkim610, evnchn, Khaliun-sw1, and falkoschindler oxqnd oxqnd
mjkim610 mjkim610 evnchn evnchn Khaliun-sw1 Khaliun-sw1 falkoschindler falkoschindler
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) Moderate
CVE-2026-33326 was published for @keystone-6/core (npm) Mar 19, 2026
n0wsh Credited to n0wsh
Packetbeat does not properly validate an array index in multiple protocol parser components Moderate
CVE-2026-26933 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
PyMuPDF has a path traversal in _main_.py Moderate
CVE-2026-3029 was published for PyMuPDF (pip) Mar 19, 2026
Metricbeat Allocates Memory with Excessive Size Value Leading to Denial of Service Moderate
CVE-2026-26931 was published for github.com/elastic/beats/v7 (Go) Mar 19, 2026
Parse Server email verification resend page leaks user existence Moderate
CVE-2026-33323 was published for parse-server (npm) Mar 19, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version High
GHSA-2mhw-8qcg-gr96 was published for skia-python (pip) Mar 19, 2026
MinIO has JWT Algorithm Confusion in OIDC Authentication Critical
CVE-2026-33322 was published for github.com/minio/minio (Go) Mar 19, 2026
KoreaSecurity Credited to KoreaSecurity, donatello, harshavardhana, and taran-p donatello donatello
harshavardhana harshavardhana taran-p taran-p
Improper Authentication and Origin Validation Error in pyload-ng Moderate
CVE-2026-33314 was published for pyload-ng (pip) Mar 19, 2026
Jaynornj Credited to Jaynornj
bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby Moderate
CVE-2026-33306 was published for bcrypt (RubyGems) Mar 19, 2026
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
restriction Credited to restriction
Ella Core panics on malformed ULNASTransport Message without a Request Type Moderate
CVE-2026-33283 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
Ella Core panics on malformed NGAP Location Report High
CVE-2026-33282 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
Ella Core panics on invalid PDU Session IDs in NGAP messages Moderate
CVE-2026-33281 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
Intake has a Command Injection via shell() Expansion in Parameter Defaults High
CVE-2026-33310 was published for intake (pip) Mar 19, 2026
redyank Credited to redyank
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets Moderate
CVE-2026-32694 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
Juju has unauthorized access to out-of-scope Kubernetes secrets High
CVE-2026-32693 was published for github.com/juju/juju (Go) Mar 19, 2026
dimaqq Credited to dimaqq, hpidcock, and wallyworld hpidcock hpidcock
wallyworld wallyworld
Juju has unauthorized update of out-of-scope Vault secrets High
CVE-2026-32692 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
Denial of service via non-terminating SYLT frame parsing loop in tinytag Moderate
CVE-2026-32889 was published for tinytag (pip) Mar 19, 2026
kq5y Credited to kq5y
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database