Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking High
CVE-2026-29175 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting High
CVE-2026-29174 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table Low
CVE-2026-29173 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting High
CVE-2026-29172 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft CMS has a potential information disclosure vulnerability in preview tokens Low
CVE-2026-29113 was published for craftcms/cms (Composer) Mar 10, 2026
singetu0096 Credited to singetu0096
StudioCMS has Privilege Escalation via Insecure API Token Generation High
CVE-2026-30944 was published for studiocms (npm) Mar 10, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Envoy vulnerable to crash for scoped ip address during DNS Moderate
CVE-2026-26310 was published for github.com/envoyproxy/envoy (Go) Mar 10, 2026
antoniovleonti Credited to antoniovleonti, agrawroh, botengyao, and phlax agrawroh agrawroh
botengyao botengyao phlax phlax
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation Moderate
CVE-2026-1776 was published for camaleon_cms (RubyGems) Mar 10, 2026
copyparty: volflag `nohtml` did not block javascript in svg files Moderate
CVE-2026-30974 was published for copyparty (pip) Mar 10, 2026
VarshankNaik Credited to VarshankNaik
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation Moderate
CVE-2026-30964 was published for web-auth/webauthn-framework (Composer) Mar 10, 2026
dorakemon Credited to dorakemon
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
Linkdave Missing Authentication on REST and WebSocket endpoints Critical
GHSA-xv8g-fj9h-6gmv was published for github.com/shi-gg/linkdave (Go) Mar 10, 2026
shi-gg Credited to shi-gg
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30957 was published for @oneuptime/common (npm) Mar 10, 2026
maru1009 Credited to maru1009
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover Critical
CVE-2026-30956 was published for @oneuptime/common (npm) Mar 10, 2026
Zwique Credited to Zwique
liquidjs has a path traversal fallback vulnerability High
CVE-2026-30952 was published for liquidjs (npm) Mar 10, 2026
MorielHarush Credited to MorielHarush, ByamB4, and caplanmaor ByamB4 ByamB4
caplanmaor caplanmaor
Actual Sync Server has an Authenticated Path Traversal Moderate
CVE-2026-3089 was published for @actual-app/sync-server (npm) Mar 10, 2026
js-patarroyo Credited to js-patarroyo
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution High
CVE-2026-30939 was published for parse-server (npm) Mar 10, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement Moderate
CVE-2026-30938 was published for parse-server (npm) Mar 10, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery High
CVE-2026-30925 was published for parse-server (npm) Mar 10, 2026
TinkAnet Credited to TinkAnet and mtrezza mtrezza mtrezza
flarum/nicknames extension has display name injection in notification emails (autolink & markdown) Moderate
CVE-2026-30913 was published for flarum/nicknames (Composer) Mar 10, 2026
imorland Credited to imorland and DavideIadeluca DavideIadeluca DavideIadeluca
vLLM has SSRF Protection Bypass Moderate
CVE-2026-25960 was published for vllm (pip) Mar 9, 2026
RacerZ-fighting Credited to RacerZ-fighting, russellb, DarkLight1337, and Isotr0py russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs High
GHSA-93fx-5qgc-wr38 was published for azuracast/azuracast (Composer) Mar 9, 2026
q1uf3ng Credited to q1uf3ng
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
GHSA-9q36-67vc-rrwg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run allow-always persistence included shell-commented payload tails Moderate
GHSA-9q2p-vc84-2rwm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database