Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,823 advisories

Loading
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading High
CVE-2026-33497 was published for langflow (pip) Mar 20, 2026
r00tuser111 Credited to r00tuser111, erichare, and AntonioABLima erichare erichare
AntonioABLima AntonioABLima
Ory Keto has a SQL injection via forged pagination tokens High
CVE-2026-33505 was published for github.com/ory/keto (Go) Mar 20, 2026
Ory Hydra has a SQL injection via forged pagination tokens High
CVE-2026-33504 was published for github.com/ory/hydra (Go) Mar 20, 2026
Ory Kratos has a SQL injection via forged pagination tokens High
CVE-2026-33503 was published for github.com/ory/kratos (Go) Mar 20, 2026
Ory Oathkeeper has a path traversal authorization bypass Critical
CVE-2026-33494 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by cache key confusion High
CVE-2026-33496 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e` Moderate
GHSA-72gr-qfp7-vwhw was published for h3 (npm) Mar 20, 2026
offset Credited to offset
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter High
CVE-2026-33493 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration High
CVE-2026-33492 was published for wwbn/avideo (Composer) Mar 20, 2026
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin High
CVE-2026-33488 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
etcd: Authorization bypasses in multiple APIs High
CVE-2026-33413 was published for go.etcd.io/etcd (Go) Mar 20, 2026
manizada Credited to manizada
MinIO LDAP login brute-force via user enumeration and missing rate limit Critical
CVE-2026-33419 was published for github.com/minio/minio (Go) Mar 20, 2026
harshavardhana Credited to harshavardhana, donatello, and taran-p donatello donatello
taran-p taran-p
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter High
CVE-2026-33485 was published for wwbn/avideo (Composer) Mar 20, 2026
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php High
CVE-2026-33483 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() High
CVE-2026-33482 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Syft improper temporary file cleanup Moderate
CVE-2026-33481 was published for github.com/anchore/syft (Go) Mar 20, 2026
htrgouvea Credited to htrgouvea
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database