GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,407 advisories
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes
High
CVE-2026-30223
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
stellar-xdr's StringM::from_str bypasses max length validation
Moderate
CVE-2026-29795
was published
for
stellar-xdr
(Rust)
Mar 5, 2026
Gokapi has CSRF in Login Endpoint
Moderate
CVE-2026-29084
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Moderate
CVE-2026-29061
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gogs: DOM-based XSS via milestone selection
High
CVE-2026-26276
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Access tokens get exposed through URL params in API requests
Moderate
CVE-2026-26196
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Stored XSS in branch and wiki views through author and committer names
Moderate
CVE-2026-26195
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Release tag option injection in release deletion
High
CVE-2026-26194
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Stored XSS via data URI in issue comments
High
CVE-2026-26022
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification
Critical
CVE-2026-25921
was published
for
gogs.io/gogs
(Go)
Mar 5, 2026
Gokapi has privilege escalation with auth token
Moderate
CVE-2026-29060
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has Stored XSS in SVG Hotlinks
High
CVE-2026-28683
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has Data Leak in Upload Status Stream
Moderate
CVE-2026-28682
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Critical
CVE-2026-27944
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Mar 5, 2026
xgrammar vulnerable to DoS via multi-layer nesting
High
CVE-2026-25048
was published
for
xgrammar
(pip)
Mar 5, 2026
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Moderate
CVE-2025-64166
was published
for
mercurius
(npm)
Mar 5, 2026
Leantime has HTML injection through firstname and lastname fields
Moderate
GHSA-qrfh-cc86-vc8c
was published
for
leantime/leantime
(Composer)
Mar 5, 2026
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
High
CVE-2026-29093
was published
for
wwbn/avideo
(Composer)
Mar 5, 2026
dbt-common's commonprefix() doesn't protect against path traversal
Low
CVE-2026-29790
was published
for
dbt-common
(pip)
Mar 5, 2026
opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass
High
CVE-2026-3125
was published
for
@opennextjs/cloudflare
(npm)
Mar 5, 2026
tar has Hardlink Path Traversal via Drive-Relative Linkpath
High
CVE-2026-29786
was published
for
tar
(npm)
Mar 5, 2026
ProTip!
Advisories are also available from the
GraphQL API