Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
@budibase/server: Command Injection in PostgreSQL Dump Command High
CVE-2026-25041 was published for @budibase/server (npm) Mar 9, 2026
omkarparth Credited to omkarparth
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator High
CVE-2025-69219 was published for apache-airflow-providers-http (pip) Mar 9, 2026
Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass Moderate
CVE-2026-25604 was published for apache-airflow-providers-amazon (pip) Mar 9, 2026
Apache IoTDB has an Improper Input Validation vulnerability Critical
CVE-2026-24713 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache IoTDB has an Insecure Default Configuration Vulnerability Critical
CVE-2026-24015 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache ZooKeeper has improper handling of configuration values High
CVE-2026-24308 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager High
CVE-2026-24281 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
kascit Credited to kascit
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file High
CVE-2025-14675 was published for wpmetabox/meta-box (Composer) Mar 7, 2026
ictbeheer Credited to ictbeheer
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30921 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
Black's vulnerable version parsing leads to RCE in GitHub Action High
CVE-2026-31900 was published for psf/black (GitHub Actions) Mar 7, 2026
ParzivalHack Credited to ParzivalHack
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains Low
CVE-2026-30916 was published for shescape (npm) Mar 7, 2026 withdrawn
FUXA has a hardcoded fallback JWT signing secret High
GHSA-c8m8-3jcr-6rj5 was published for @frangoteam/fuxa (npm) Mar 7, 2026
blankshiro Credited to blankshiro
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE Critical
CVE-2026-30887 was published for @oneuptime/common (npm) Mar 7, 2026
hunterxsirago1 Credited to hunterxsirago1
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` Moderate
CVE-2026-30870 was published for @powersync/service-core (npm) Mar 7, 2026
rkistner Credited to rkistner
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft High
CVE-2026-33010 was published for mcp-memory-service (pip) Mar 7, 2026
yotampe-pluto Credited to yotampe-pluto
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR) Moderate
GHSA-5q8v-j673-m5v4 was published for grumpydictator/firefly-iii (Composer) Mar 7, 2026
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation Critical
CVE-2026-30861 was published for github.com/Tencent/WeKnora (Go) Mar 7, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Critical
CVE-2026-30860 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora has Broken Access Control - Cross-Tenant Data Exposure High
CVE-2026-30859 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources High
CVE-2026-30858 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database