Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,905 advisories

Loading
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing Moderate
CVE-2026-33223 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS allows MQTT clients to bypass ACL checks High
CVE-2026-33217 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS has MQTT plaintext password disclosure High
CVE-2026-33216 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS is vulnerable to MQTT hijacking via Client ID Moderate
CVE-2026-33215 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server panic via malicious compression on leafnode port High
CVE-2026-29785 was published for github.com/nats-io/nats-server (Go) Mar 24, 2026
NATS credentials are exposed in monitoring port via command-line argv High
CVE-2026-33247 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
NATS: Message tracing can be redirected to arbitrary subject Moderate
CVE-2026-33249 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl Moderate
CVE-2026-33619 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands Moderate
CVE-2026-29772 was published for @astrojs/node (npm) Mar 24, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
MobSF has SQL Injection in its SQLite Database Viewer Utils Moderate
CVE-2026-33545 was published for mobsf (pip) Mar 24, 2026
djvirus9 Credited to djvirus9
JustHTML is vulnerable to XSS via code fence breakout in <pre> content High
GHSA-5vp3-3cg6-2rq3 was published for justhtml (pip) Mar 24, 2026
AlfinJ0se Credited to AlfinJ0se
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
GHSA-7789-65hx-f26w was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database