Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload High
CVE-2026-30948 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server has a bypass of class-level permissions in LiveQuery High
CVE-2026-30947 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service High
CVE-2026-30945 was published for studiocms (npm) Mar 11, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints High
CVE-2026-30941 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
pypdf: manipulated stream length values can exhaust RAM Moderate
CVE-2026-31826 was published for pypdf (pip) Mar 11, 2026
iconnnjka Credited to iconnnjka and stefan6419846 stefan6419846 stefan6419846
Sylius has a DQL Injection via API Order Filters Moderate
CVE-2026-31825 was published for sylius/sylius (Composer) Mar 11, 2026
Neosprings Credited to Neosprings and bnBart bnBart bnBart
Sylius has a Promotion Usage Limit Bypass via Race Condition High
CVE-2026-31824 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
Sylius has a XSS vulnerability in checkout login form Moderate
CVE-2026-31822 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
Sylius has an Open Redirect via Referer Header Moderate
CVE-2026-31819 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Wisp Vulnerable to Path Traversal High
CVE-2026-28807 was published for wisp (Erlang) Mar 11, 2026
jtdowney Credited to jtdowney and lpil lpil lpil
django-unicorn affected by component state manipulation via unvalidated attribute access Moderate
CVE-2026-31815 was published for django-unicorn (pip) Mar 11, 2026
RinZ27 Credited to RinZ27
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files High
CVE-2026-31817 was published for github.com/OliveTin/OliveTin (Go) Mar 11, 2026
iconnnjka Credited to iconnnjka
Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing High
CVE-2026-31812 was published for quinn-proto (Rust) Mar 11, 2026
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS Moderate
CVE-2026-31809 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes High
CVE-2026-31861 was published for @siteboon/claude-code-ui (npm) Mar 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header Moderate
CVE-2026-31808 was published for file-type (npm) Mar 10, 2026
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS Moderate
CVE-2026-31807 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
node-tar Symlink Path Traversal via Drive-Relative Linkpath High
CVE-2026-31802 was published for tar (npm) Mar 10, 2026
Jvr2022 Credited to Jvr2022
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) High
CVE-2026-31801 was published for zotregistry.dev/zot (Go) Mar 10, 2026
1seal Credited to 1seal
pdfmake is vulnerable to server-side request forgery (SSRF) High
CVE-2026-26801 was published for pdfmake (npm) Mar 10, 2026
mariopepe Credited to mariopepe
ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder Moderate
CVE-2026-31853 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 10, 2026
Mcsky23 Credited to Mcsky23
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database