Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error High
CVE-2026-33191 was published for github.com/free5gc/udm (Go) Mar 18, 2026
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass High
CVE-2026-33203 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
mith36 Credited to mith36
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) Moderate
CVE-2026-33194 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
offset Credited to offset
gRPC-Go has an authorization bypass via missing leading slash in :path Critical
CVE-2026-33186 was published for google.golang.org/grpc (Go) Mar 18, 2026
MariuszMaik Credited to MariuszMaik
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT High
CVE-2026-33155 was published for deepdiff (pip) Mar 18, 2026
am-periphery Credited to am-periphery
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver High
CVE-2026-33154 was published for dynaconf (pip) Mar 18, 2026
redyank Credited to redyank
HAPI FHIR HTTP authentication leak in redirects Critical
CVE-2026-33180 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Mar 18, 2026
ElliotSilver Credited to ElliotSilver
Filament Unvalidated Range and Values summarizer values can be used for XSS High
CVE-2026-33080 was published for filament/tables (Composer) Mar 18, 2026
danharrin Credited to danharrin
free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request Moderate
CVE-2026-33065 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference High
CVE-2026-33064 was published for github.com/free5gc/udm (Go) Mar 18, 2026
free5GC AUSF UE Authentication Panic on Nil SuciSupiMap Interface Conversion High
CVE-2026-33063 was published for github.com/free5gc/ausf (Go) Mar 18, 2026
free5GC NRF Discovery EncodeGroupId Function Panics on Malformed group-id-list Parameter High
CVE-2026-33062 was published for github.com/free5gc/nrf (Go) Mar 18, 2026
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py Critical
CVE-2026-33057 was published for mesop (pip) Mar 18, 2026
liyander Credited to liyander
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion Critical
CVE-2026-33054 was published for mesop (pip) Mar 18, 2026
liyander Credited to liyander
Statamic is missing authorization check on taxonomy term creation via fieldtype Moderate
CVE-2026-33177 was published for statamic/cms (Composer) Mar 18, 2026
everythingBlackkk Credited to everythingBlackkk
Statamic has a path traversal in file dictionary fieldtype Moderate
CVE-2026-33171 was published for statamic/cms (Composer) Mar 18, 2026
spbavarva Credited to spbavarva
Statamic has Stored XSS via SVG Sanitization Bypass High
CVE-2026-33172 was published for statamic/cms (Composer) Mar 18, 2026
FilipeGaudard Credited to FilipeGaudard
Gossipsub PRUNE.backoff Duration Overflow High
CVE-2026-33040 was published for libp2p-gossipsub (Rust) Mar 18, 2026
Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers) High
CVE-2026-33166 was published for io.qameta.allure:allure-generator (Maven) Mar 18, 2026
ThanosTsiamis Credited to ThanosTsiamis and baev baev baev
Parse Server leaks protected fields via LiveQuery afterEvent trigger High
CVE-2026-33163 was published for parse-server (npm) Mar 18, 2026
mtrezza Credited to mtrezza
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction Critical
CVE-2026-32731 was published for @apostrophecms/import-export (npm) Mar 18, 2026
0xEr3n Credited to 0xEr3n
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware High
CVE-2026-32730 was published for apostrophe (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2026-30048 was published for @developer.notchatbot/webchat (npm) Mar 18, 2026
Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation High
CVE-2026-33002 was published for org.jenkins-ci.main:jenkins-core (Maven) Mar 18, 2026
Jenkins LoadNinja Plugin does not mask LoadNinja API keys displayed on the job configuration form Moderate
CVE-2026-33004 was published for org.jenkins-ci.plugins:loadninja (Maven) Mar 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database