GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
94 advisories
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
High
CVE-2026-33723
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
High
CVE-2026-33719
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
High
CVE-2026-33717
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Critical
CVE-2026-33716
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
High
CVE-2026-33680
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
Moderate
CVE-2026-33679
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
High
CVE-2026-33678
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Moderate
CVE-2026-33677
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Moderate
CVE-2026-33676
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
Moderate
CVE-2026-33675
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php
Moderate
GHSA-wxjx-r2j2-96fx
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
Moderate
CVE-2026-33688
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
Moderate
CVE-2026-33685
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
Moderate
CVE-2026-33683
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
High
CVE-2026-33681
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
High
CVE-2026-33651
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
High
CVE-2026-33650
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
High
CVE-2026-33649
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
High
CVE-2026-33648
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
High
CVE-2026-33647
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation
Moderate
GHSA-xw6w-9jjh-p9cr
was published
for
Scriban
(NuGet)
Mar 24, 2026
Scriban: Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToString
Moderate
GHSA-m2p3-hwv5-xpqw
was published
for
Scriban
(NuGet)
Mar 24, 2026
Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException
High
GHSA-xcx6-vp38-8hr5
was published
for
Scriban
(NuGet)
Mar 24, 2026
Scriban: Uncontrolled Memory Allocation via string.pad_left/pad_right Allows Remote Denial of Service
High
GHSA-v66j-x4hw-fv9g
was published
for
Scriban
(NuGet)
Mar 24, 2026
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Moderate
CVE-2026-33527
was published
for
parse-server
(npm)
Mar 24, 2026
ProTip!
Advisories are also available from the
GraphQL API