Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,391
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,209 advisories

Loading
Tina: Path Traversal in Media Upload Handle High
CVE-2026-28791 was published for tinacms (npm) Mar 12, 2026
yueyueL Credited to yueyueL
multipart vulnerable to ReDoS in `parse_options_header()` High
CVE-2026-28356 was published for multipart (pip) Mar 12, 2026
sharanxP Credited to sharanxP
@tinacms/graphql has a Path Traversal issue Moderate
CVE-2026-24125 was published for @tinacms/graphql (npm) Mar 12, 2026
Parse Server: Account takeover via operator injection in authentication data identifier Critical
CVE-2026-32248 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance Critical
CVE-2026-32242 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Trix has a Stored XSS vulnerability through serialized attributes Moderate
GHSA-qmpg-8xg6-ph5q was published for action_text-trix (RubyGems) Mar 12, 2026
Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters High
CVE-2026-32247 was published for graphiti-core (pip) Mar 12, 2026
romain-deperne Credited to romain-deperne
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint High
CVE-2026-32246 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
Tinyauth's OIDC authorization codes are not bound to client on token exchange Moderate
CVE-2026-32245 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
Parse Server has a SQL injection via query field name when using PostgreSQL Moderate
CVE-2026-32234 was published for parse-server (npm) Mar 12, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink High
CVE-2026-32232 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch Low
CVE-2026-32236 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification Moderate
GHSA-725g-w329-g7qr was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings Moderate
CVE-2026-32104 was published for studiocms (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation Moderate
CVE-2026-32103 was published for studiocms (npm) Mar 12, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check High
CVE-2026-32101 was published for @studiocms/s3-storage (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
Traefik: HTTP/2 frames can cause a running server to panic High
GHSA-4hjq-9h5c-252j was published for github.com/traefik/traefik/v2 (Go) Mar 12, 2026
WolverMinion Credited to WolverMinion
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass Critical
CVE-2026-32136 was published for github.com/AdguardTeam/AdGuardHome (Go) Mar 12, 2026
mandreko Credited to mandreko
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database