Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,905 advisories

Loading
pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names High
CVE-2025-70952 was published for org.pf4j:pf4j (Maven) Mar 25, 2026
Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components High
CVE-2025-70887 was published for signify (pip) Mar 25, 2026
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php Critical
CVE-2026-33716 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution Critical
CVE-2026-33701 was published for io.opentelemetry.javaagent:opentelemetry-javaagent (Maven) Mar 25, 2026
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion Moderate
CVE-2026-33700 was published for code.vikunja.io/api (Go) Mar 25, 2026
Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure) Moderate
CVE-2026-33682 was published for Streamlit (pip) Mar 25, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download Moderate
CVE-2026-33679 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API Moderate
CVE-2026-33677 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read Moderate
CVE-2026-33676 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources Moderate
CVE-2026-33675 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Picomatch has a ReDoS vulnerability via extglob quantifiers High
CVE-2026-33671 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover High
CVE-2026-33665 was published for n8n (npm) Mar 25, 2026
weblover12 Credited to weblover12, 34selen, B0RI, and Jeon-Ji-Hwan 34selen 34selen
B0RI B0RI Jeon-Ji-Hwan Jeon-Ji-Hwan
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition High
CVE-2026-33663 was published for n8n (npm) Mar 25, 2026
tr4ce-ju Credited to tr4ce-ju
n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode Critical
CVE-2026-33660 was published for n8n (npm) Mar 25, 2026
duddnr0615k Credited to duddnr0615k, simonkoeck, c0rydoras, and nil340 simonkoeck simonkoeck
c0rydoras c0rydoras nil340 nil340
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests Low
CVE-2026-33658 was published for activestorage (RubyGems) Mar 25, 2026
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines Moderate
GHSA-v3rj-xjv7-4jmq was published for smol-toml (npm) Mar 25, 2026
0xkakash1 Credited to 0xkakash1
Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-p2gh-cfq4-4wjc was published for google/protobuf (Composer) Mar 25, 2026
34selen Credited to 34selen
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() Moderate
CVE-2026-33693 was published for activitypub_federation (Rust) Mar 25, 2026
SnailSploit Credited to SnailSploit
MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline High
CVE-2026-33548 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
yaml is vulnerable to Stack Overflow via deeply nested YAML collections Moderate
CVE-2026-33532 was published for yaml (npm) Mar 25, 2026
kq5y Credited to kq5y and peaktwilight peaktwilight peaktwilight
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database