Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,393
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,026
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,270 advisories

Loading
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled Moderate
CVE-2026-30854 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization Moderate
CVE-2026-30850 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory Moderate
CVE-2026-30848 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding Moderate
CVE-2026-29773 was published for github.com/kubewarden/kubewarden-controller (Go) Mar 9, 2026
thevilledev Credited to thevilledev
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Moderate
CVE-2026-29195 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion High
CVE-2026-28512 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
ByamB4 Credited to ByamB4
@budibase/server: Command Injection in PostgreSQL Dump Command High
CVE-2026-25041 was published for @budibase/server (npm) Mar 9, 2026
omkarparth Credited to omkarparth
Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass Moderate
CVE-2026-25604 was published for apache-airflow-providers-amazon (pip) Mar 9, 2026
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator High
CVE-2025-69219 was published for apache-airflow-providers-http (pip) Mar 9, 2026
Apache IoTDB has an Insecure Default Configuration Vulnerability Critical
CVE-2026-24015 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache IoTDB has an Improper Input Validation vulnerability Critical
CVE-2026-24713 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache ZooKeeper has improper handling of configuration values High
CVE-2026-24308 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager High
CVE-2026-24281 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
kascit Credited to kascit
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file High
CVE-2025-14675 was published for wpmetabox/meta-box (Composer) Mar 7, 2026
ictbeheer Credited to ictbeheer
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30921 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
Black's vulnerable version parsing leads to RCE in GitHub Action High
CVE-2026-31900 was published for psf/black (GitHub Actions) Mar 7, 2026
ParzivalHack Credited to ParzivalHack
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains Low
CVE-2026-30916 was published for shescape (npm) Mar 7, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database