Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,905 advisories

Loading
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants High
GHSA-cg6c-q2hx-69h7 was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-33870 was published for io.netty:netty-codec-http (Maven) Mar 26, 2026
xclow3n Credited to xclow3n
Astro: Remote allowlist bypass via unanchored matchPathname wildcard Low
CVE-2026-33769 was published for astro (npm) Mar 26, 2026
christos-eth Credited to christos-eth
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` Moderate
CVE-2026-33768 was published for @astrojs/vercel (npm) Mar 26, 2026
jp-soba Credited to jp-soba
OpenBao has Reflected XSS in its OIDC authentication error message Critical
CVE-2026-33758 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
OpenBao lacks user confirmation for OIDC direct callback mode Critical
CVE-2026-33757 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
Langflow has Authenticated Code Execution in Agentic Assistant Validation Critical
CVE-2026-33873 was published for langflow (pip) Mar 26, 2026
kexinoh Credited to kexinoh and andifilhohub andifilhohub andifilhohub
n8n Vulnerable to LDAP Filter Injection in LDAP Node Moderate
CVE-2026-33751 was published for n8n (npm) Mar 26, 2026
allsmog Credited to allsmog
brace-expansion: Zero-step sequence causes process hang and memory exhaustion Moderate
CVE-2026-33750 was published for brace-expansion (npm) Mar 26, 2026
subhashdasyam Credited to subhashdasyam, katzj, and navgarcha katzj katzj
navgarcha navgarcha
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering Moderate
CVE-2026-33749 was published for n8n (npm) Mar 26, 2026
simonkoeck Credited to simonkoeck
BuildKit Git URL subdir component can cause access to restricted files High
CVE-2026-33748 was published for github.com/moby/buildkit (Go) Mar 26, 2026
BuildKit's Malicious frontend can cause file escape outside of storage root High
CVE-2026-33747 was published for github.com/moby/buildkit (Go) Mar 26, 2026
1seal Credited to 1seal
elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition High
CVE-2026-33872 was published for nodejs (Erlang) Mar 26, 2026
AmanTallarium Credited to AmanTallarium, nemophrost, s3cur3, and dweill nemophrost nemophrost
s3cur3 s3cur3 dweill dweill
AVideo has Plaintext Video Password Storage Critical
CVE-2026-33867 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables High
CVE-2026-33770 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query High
CVE-2026-33767 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints Moderate
CVE-2026-33766 was published for wwbn/avideo (Composer) Mar 26, 2026
kodareef5 Credited to kodareef5
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle Moderate
CVE-2026-33763 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings Moderate
CVE-2026-33761 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write High
GHSA-pr3g-phhr-h8fh was published for librenms/librenms (Composer) Mar 26, 2026
YuriNek0 Credited to YuriNek0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database