Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,339
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,548
Pub
12
RubyGems
1,012
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,890 advisories

Loading
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections Moderate
CVE-2026-3635 was published for fastify (npm) Mar 25, 2026
TinkAnet Credited to TinkAnet, climba03003, mcollina, and UlisesGascon climba03003 climba03003
mcollina mcollina UlisesGascon UlisesGascon
WeChat Pay callback signature verification bypassed when Host header is localhost High
CVE-2026-33661 was published for yansongda/pay (Composer) Mar 25, 2026
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter Critical
CVE-2026-26832 was published for node-tesseract-ocr (npm) Mar 25, 2026
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() High
CVE-2026-33651 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion High
CVE-2026-33650 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification High
CVE-2026-33649 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path High
CVE-2026-33648 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload High
CVE-2026-33647 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash High
CVE-2026-33285 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling Low
GHSA-8g29-8xwr-qmhr was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server has a Missing Secure Flag on Session Cookie Low
GHSA-5j35-xr4g-vwf4 was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers Moderate
GHSA-3mjm-x6gw-2x42 was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/powerline Runs Without Authentication by Default Moderate
GHSA-xq7h-vwjp-5vrh was published for @grackle-ai/powerline (npm) Mar 25, 2026
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool High
GHSA-647h-p824-99w7 was published for @grackle-ai/mcp (npm) Mar 25, 2026
@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template Low
GHSA-7q9x-8g6p-3x75 was published for @grackle-ai/server (npm) Mar 25, 2026
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead High
CVE-2026-27889 was published for github.com/nats-io/nats-server/v2 (Go) Mar 25, 2026
Mistz1 Credited to Mistz1 and jiayuqi7813 jiayuqi7813 jiayuqi7813
Modoboa has OS Command Injection High
CVE-2026-27602 was published for modoboa (pip) Mar 25, 2026
ByamB4 Credited to ByamB4
n8n has In-Process Memory Disclosure in its Task Runner High
CVE-2026-27496 was published for n8n (npm) Mar 25, 2026
c0rydoras Credited to c0rydoras
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function Moderate
CVE-2026-25645 was published for requests (pip) Mar 25, 2026
Jaycelation Credited to Jaycelation, nateprewitt, and sigmavirus24 nateprewitt nateprewitt
sigmavirus24 sigmavirus24
pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter Critical
CVE-2026-26830 was published for pdf-image (npm) Mar 25, 2026
Two LiteLLM versions published containing credential harvesting malware Critical
GHSA-5mg7-485q-xm76 was published for litellm (pip) Mar 25, 2026
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database