GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27,583 advisories
OliveTin's RestartAction always runs actions as guest
Moderate
CVE-2026-30225
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
Moderate
CVE-2026-30224
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes
High
CVE-2026-30223
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
stellar-xdr's StringM::from_str bypasses max length validation
Moderate
CVE-2026-29795
was published
for
stellar-xdr
(Rust)
Mar 5, 2026
Gokapi has CSRF in Login Endpoint
Moderate
CVE-2026-29084
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Moderate
CVE-2026-29061
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gogs: DOM-based XSS via milestone selection
High
CVE-2026-26276
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Access tokens get exposed through URL params in API requests
Moderate
CVE-2026-26196
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Stored XSS in branch and wiki views through author and committer names
Moderate
CVE-2026-26195
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Release tag option injection in release deletion
High
CVE-2026-26194
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Stored XSS via data URI in issue comments
High
CVE-2026-26022
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification
Critical
CVE-2026-25921
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gokapi has privilege escalation with auth token
Moderate
CVE-2026-29060
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has Stored XSS in SVG Hotlinks
High
CVE-2026-28683
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has Data Leak in Upload Status Stream
Moderate
CVE-2026-28682
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Critical
CVE-2026-27944
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 5, 2026
xgrammar vulnerable to DoS via multi-layer nesting
High
CVE-2026-25048
was published
for
xgrammar
(pip)
Mar 5, 2026
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Moderate
CVE-2025-64166
was published
for
mercurius
(npm)
Mar 5, 2026
Leantime has HTML injection through firstname and lastname fields
Moderate
GHSA-qrfh-cc86-vc8c
was published
for
leantime/leantime
(Composer)
Mar 5, 2026
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
High
CVE-2026-29093
was published
for
wwbn/avideo
(Composer)
Mar 5, 2026
dbt-common's commonprefix() doesn't protect against path traversal
Low
CVE-2026-29790
was published
for
dbt-common
(pip)
Mar 5, 2026
ProTip!
Advisories are also available from the
GraphQL API