Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC High
CVE-2026-32887 was published for effect (npm) Mar 20, 2026
jamesone Credited to jamesone
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify High
CVE-2026-33331 was published for @orpc/openapi (npm) Mar 20, 2026
abhayclasher Credited to abhayclasher
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Vikunja has a 2FA Bypass via Caldav Basic Auth Moderate
CVE-2026-33315 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
Vikunja read-only users can delete project background images via broken object-level authorization Moderate
CVE-2026-33312 was published for code.vikunja.io/api (Go) Mar 20, 2026
tar-rs `unpack_in` can chmod arbitrary directories by following symlinks Moderate
CVE-2026-33056 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium
tar-rs incorrectly ignores PAX size headers if header size is nonzero Moderate
CVE-2026-33055 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium and woodruffw woodruffw woodruffw
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names Critical
CVE-2026-33286 was published for graphiti (RubyGems) Mar 20, 2026
doublevoid Credited to doublevoid and simonrand simonrand simonrand
pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root High
CVE-2026-32711 was published for pydicom (pip) Mar 20, 2026
jh4nks Credited to jh4nks
Qwik City has array method pollution in FormData processing allows type confusion and DoS High
CVE-2026-32701 was published for @builder.io/qwik-city (npm) Mar 20, 2026
Y4tacker Credited to Y4tacker
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Moderate
CVE-2026-32595 was published for github.com/traefik/traefik (Go) Mar 20, 2026
f1veT Credited to f1veT
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config High
CVE-2026-32305 was published for github.com/traefik/traefik (Go) Mar 20, 2026
InfinityHub123 Credited to InfinityHub123
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-x49q-fhhm-r9jf was published for openclaw (npm) Mar 20, 2026 withdrawn
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers Moderate
CVE-2026-29794 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Spring Security HTTP Headers Are not Written Under Some Conditions Critical
CVE-2026-22732 was published for org.springframework.security:spring-security-web (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator Health groups paths High
CVE-2026-22731 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Spring MVC and WebFlux has Server Sent Event stream corruption Low
CVE-2026-22735 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints High
CVE-2026-22733 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Spring Framework Improper Path Limitation with Script View Templates Moderate
CVE-2026-22737 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
ingress-nginx comment-based nginx configuration injection High
CVE-2026-4342 was published for k8s.io/ingress-nginx (Go) Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Scriban Affected by Memory Exhaustion (OOM) via Unbounded String Generation (Denial of Service) Moderate
GHSA-5rpf-x9jg-8j5p was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-grr9-747v-xvcp was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-wgh7-7m3c-fx25 was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database