GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
11 advisories
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
Critical
CVE-2026-34361
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.validation
(Maven)
Mar 30, 2026
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
Critical
GHSA-2pv8-4c52-mf8j
was published
for
code.vikunja.io/api
(Go)
Mar 26, 2026
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Critical
CVE-2026-33716
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
avideo/avideo
(Composer)
Mar 20, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
ProTip!
Advisories are also available from the
GraphQL API