Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,359
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,996 advisories

Loading
Parse Server affected by empty authData bypassing credential requirement on signup Moderate
CVE-2026-33042 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
astral-tokio-tar insufficiently validates PAX extensions during extraction Moderate
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php Moderate
CVE-2026-33041 was published for wwbn/avideo (Composer) Mar 17, 2026
offensiveee Credited to offensiveee
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments High
CVE-2026-33038 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun Moderate
CVE-2026-33022 was published for github.com/tektoncd/pipeline (Go) Mar 17, 2026
1seal Credited to 1seal, vdemeester, and afrittoli vdemeester vdemeester
afrittoli afrittoli
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) High
CVE-2026-33036 was published for fast-xml-parser (npm) Mar 17, 2026
deprrous Credited to deprrous and yuezk yuezk yuezk
Tillitis TKey Client has an Error in Protocol Implementation Moderate
CVE-2026-32953 was published for github.com/tillitis/tkeyclient (Go) Mar 17, 2026
Micronaut Framework vulnerable to a Denial of Service in HTML error response caching High
CVE-2026-33012 was published for io.micronaut:micronaut-http-server (Maven) Mar 17, 2026
shblue21 Credited to shblue21
Nest Fastify HEAD Request Middleware Bypass High
CVE-2026-33011 was published for @nestjs/platform-fastify (npm) Mar 17, 2026
kamilmysliwiec Credited to kamilmysliwiec
Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier) Moderate
CVE-2026-32947 was published for step-security/harden-runner (GitHub Actions) Mar 17, 2026
devanshbatham Credited to devanshbatham
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier) Moderate
CVE-2026-32946 was published for step-security/harden-runner (GitHub Actions) Mar 17, 2026
devanshbatham Credited to devanshbatham
Parse Server LiveQuery subscription with invalid regular expression crashes server Moderate
CVE-2026-32770 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server session creation endpoint allows overwriting server-generated session fields Moderate
CVE-2026-32742 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server's Cloud function dispatch crashes server via prototype chain traversal High
CVE-2026-32886 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports Moderate
CVE-2026-32941 was published for github.com/bishopfox/sliver (Go) Mar 17, 2026
skoveit Credited to skoveit
Parse Server has a password reset token single-use bypass via concurrent requests Low
CVE-2026-32943 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server crash via deeply nested query condition operators High
CVE-2026-32944 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to Moderate
CVE-2026-32700 was published for devise (RubyGems) Mar 17, 2026
grantcox Credited to grantcox and albinowax albinowax albinowax
ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash Moderate
CVE-2026-32636 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 17, 2026
fumfel Credited to fumfel
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS High
CVE-2026-32254 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Mar 17, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
jsPDF has HTML Injection in New Window paths Critical
CVE-2026-31938 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
jsPDF has a PDF Object Injection via FreeText color High
CVE-2026-31898 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() High
CVE-2026-31891 was published for cockpit-hq/cockpit (Composer) Mar 17, 2026
ffasterss Credited to ffasterss
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices High
CVE-2026-33013 was published for io.micronaut:micronaut-json-core (Maven) Mar 17, 2026
shblue21 Credited to shblue21
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database