GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27,945 advisories
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
Moderate
CVE-2026-29794
was published
for
code.vikunja.io/api
(Go)
Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData
High
CVE-2026-33409
was published
for
parse-server
(npm)
Mar 19, 2026
Scriban Affected by Memory Exhaustion (OOM) via Unbounded String Generation (Denial of Service)
Moderate
GHSA-5rpf-x9jg-8j5p
was published
for
scriban
(NuGet)
Mar 19, 2026
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service)
High
GHSA-grr9-747v-xvcp
was published
for
scriban
(NuGet)
Mar 19, 2026
Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)
High
GHSA-wgh7-7m3c-fx25
was published
for
scriban
(NuGet)
Mar 19, 2026
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR
Moderate
CVE-2026-33397
was published
for
@angular/ssr
(npm)
Mar 19, 2026
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
High
CVE-2026-33354
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
In Soft Serve, an authenticated repo import can clone server-local private repositories
High
CVE-2026-33353
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 19, 2026
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
Critical
CVE-2026-33352
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
High
CVE-2026-33344
was published
for
github.com/dagu-org/dagu
(Go)
Mar 19, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
Moderate
CVE-2026-33349
was published
for
fast-xml-parser
(npm)
Mar 19, 2026
league/commonmark has an embed extension allowed_domains bypass
Moderate
CVE-2026-33347
was published
for
league/commonmark
(Composer)
Mar 19, 2026
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Moderate
CVE-2026-33332
was published
for
nicegui
(pip)
Mar 19, 2026
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)
Moderate
CVE-2026-33326
was published
for
@keystone-6/core
(npm)
Mar 19, 2026
ProTip!
Advisories are also available from the
GraphQL API