Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,519
Pub
12
RubyGems
1,003
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,574 advisories

Loading
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() High
CVE-2026-33482 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
Syft improper temporary file cleanup Moderate
CVE-2026-33481 was published for github.com/anchore/syft (Go) Mar 20, 2026
htrgouvea Credited to htrgouvea
Parse Server has a protected field change detection oracle via LiveQuery watch parameter Moderate
CVE-2026-33429 was published for parse-server (npm) Mar 20, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled Moderate
GHSA-pgx6-7jcq-2qff was published for @pdfme/common (npm) Mar 20, 2026
restriction Credited to restriction
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel Moderate
GHSA-xgx4-2wgv-4jhm was published for @pdfme/schemas (npm) Mar 20, 2026
restriction Credited to restriction
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
restriction Credited to restriction
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy High
CVE-2026-33480 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin High
CVE-2026-33479 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for avideo/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal High
CVE-2026-33476 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 20, 2026
mith36 Credited to mith36
Vikunja Affected by DoS via Image Preview Generation Moderate
CVE-2026-33474 was published for code.vikunja.io/api (Go) Mar 20, 2026
Aryma-f4 Credited to Aryma-f4
Vikunja has TOTP Reuse During Validity Window Moderate
CVE-2026-33473 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize() High
CVE-2026-33418 was published for @dicebear/converter (npm) Mar 20, 2026
restriction Credited to restriction
CRL Distribution Point Scope Check Logic Error in AWS-LC High
GHSA-9f94-5g5w-gf6r was published for aws-lc-fips-sys (Rust) Mar 20, 2026
AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN High
GHSA-394x-vwmw-crm3 was published for aws-lc-sys (Rust) Mar 20, 2026
etcd: Nested etcd transactions bypass RBAC authorization checks Low
CVE-2026-33343 was published for go.etcd.io/etcd (Go) Mar 20, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC High
CVE-2026-32887 was published for effect (npm) Mar 20, 2026
jamesone Credited to jamesone
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify High
CVE-2026-33331 was published for @orpc/openapi (npm) Mar 20, 2026
abhayclasher Credited to abhayclasher
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Vikunja has a 2FA Bypass via Caldav Basic Auth Moderate
CVE-2026-33315 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
Vikunja read-only users can delete project background images via broken object-level authorization Moderate
CVE-2026-33312 was published for code.vikunja.io/api (Go) Mar 20, 2026
tar-rs `unpack_in` can chmod arbitrary directories by following symlinks Moderate
CVE-2026-33056 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium
tar-rs incorrectly ignores PAX size headers if header size is nonzero Moderate
CVE-2026-33055 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium and woodruffw woodruffw woodruffw
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database