Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,618
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,315 advisories

Loading
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding Moderate
CVE-2026-29773 was published for github.com/kubewarden/kubewarden-controller (Go) Mar 9, 2026
thevilledev Credited to thevilledev
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Moderate
CVE-2026-29195 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion High
CVE-2026-28512 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
ByamB4 Credited to ByamB4
@budibase/server: Command Injection in PostgreSQL Dump Command High
CVE-2026-25041 was published for @budibase/server (npm) Mar 9, 2026
omkarparth Credited to omkarparth
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator High
CVE-2025-69219 was published for apache-airflow-providers-http (pip) Mar 9, 2026
Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass Moderate
CVE-2026-25604 was published for apache-airflow-providers-amazon (pip) Mar 9, 2026
Apache IoTDB has an Insecure Default Configuration Vulnerability Critical
CVE-2026-24015 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache IoTDB has an Improper Input Validation vulnerability Critical
CVE-2026-24713 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager High
CVE-2026-24281 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
kascit Credited to kascit
Apache ZooKeeper has improper handling of configuration values High
CVE-2026-24308 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file High
CVE-2025-14675 was published for wpmetabox/meta-box (Composer) Mar 7, 2026
ictbeheer Credited to ictbeheer
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30921 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
Black's vulnerable version parsing leads to RCE in GitHub Action High
CVE-2026-31900 was published for psf/black (GitHub Actions) Mar 7, 2026
ParzivalHack Credited to ParzivalHack
Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains Low
CVE-2026-30916 was published for shescape (npm) Mar 7, 2026 withdrawn
FUXA has a hardcoded fallback JWT signing secret High
GHSA-c8m8-3jcr-6rj5 was published for @frangoteam/fuxa (npm) Mar 7, 2026
blankshiro Credited to blankshiro
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE Critical
CVE-2026-30887 was published for @oneuptime/common (npm) Mar 7, 2026
hunterxsirago1 Credited to hunterxsirago1
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` Moderate
CVE-2026-30870 was published for @powersync/service-core (npm) Mar 7, 2026
rkistner Credited to rkistner
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database