Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

9,551 advisories

Loading
Parse Server has a protected fields bypass via dot-notation in query and sort High
CVE-2026-31872 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
flagd Vulnerable to Allocation of Resources Without Limits or Throttling High
CVE-2026-31866 was published for github.com/open-feature/flagd/flagd (Go) Mar 11, 2026
danipalli Credited to danipalli, marcozabel, and toddbaert marcozabel marcozabel
toddbaert toddbaert
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection High
CVE-2026-31858 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest High
CVE-2026-31830 was published for sigstore (RubyGems) Mar 11, 2026
hanazuki Credited to hanazuki
Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access High
CVE-2026-31829 was published for flowise (npm) Mar 11, 2026
nlgbao1340 Credited to nlgbao1340
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes High
CVE-2026-31800 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server OAuth2 authentication adapter account takeover via identity spoofing High
CVE-2026-30967 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via logical query operators High
CVE-2026-30962 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type High
CVE-2026-30951 was published for sequelize (npm) Mar 11, 2026
EthanKim88 Credited to EthanKim88
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload High
CVE-2026-30948 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server has a bypass of class-level permissions in LiveQuery High
CVE-2026-30947 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service High
CVE-2026-30945 was published for studiocms (npm) Mar 11, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints High
CVE-2026-30941 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Sylius has a Promotion Usage Limit Bypass via Race Condition High
CVE-2026-31824 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
Wisp Vulnerable to Path Traversal High
CVE-2026-28807 was published for wisp (Erlang) Mar 11, 2026
jtdowney Credited to jtdowney and lpil lpil lpil
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files High
CVE-2026-31817 was published for github.com/OliveTin/OliveTin (Go) Mar 11, 2026
iconnnjka Credited to iconnnjka
Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing High
CVE-2026-31812 was published for quinn-proto (Rust) Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes High
CVE-2026-31861 was published for @siteboon/claude-code-ui (npm) Mar 10, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
node-tar Symlink Path Traversal via Drive-Relative Linkpath High
CVE-2026-31802 was published for tar (npm) Mar 10, 2026
Jvr2022 Credited to Jvr2022
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) High
CVE-2026-31801 was published for zotregistry.dev/zot (Go) Mar 10, 2026
1seal Credited to 1seal
pdfmake is vulnerable to server-side request forgery (SSRF) High
CVE-2026-26801 was published for pdfmake (npm) Mar 10, 2026
Elysia has a string URL format ReDoS High
CVE-2026-30837 was published for elysia (npm) Mar 10, 2026
EdamAme-x Credited to EdamAme-x
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database