Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,404
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,632
Pub
13
RubyGems
1,026
Rust
1,205
Swift
53
Unreviewed advisories
All unreviewed
5,000+

66 advisories

Loading
Parse Server has a rate limit bypass via batch request endpoint Moderate
CVE-2026-30972 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types Moderate
CVE-2026-31868 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause Moderate
CVE-2026-32098 was published for parse-server (npm) Mar 12, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings Moderate
CVE-2026-32104 was published for studiocms (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding Moderate
CVE-2026-32632 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions Moderate
CVE-2026-32816 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Admidio is Missing CSRF Protection on Role Membership Date Changes Moderate
CVE-2026-32755 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
CVE-2026-32818 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server session creation endpoint allows overwriting server-generated session fields Moderate
CVE-2026-32742 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza and offset offset offset
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) Moderate
CVE-2026-33194 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
offset Credited to offset
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script) Moderate
GHSA-qvc2-mg72-jjhx was published for justhtml (pip) Mar 18, 2026
offset Credited to offset
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration Moderate
CVE-2026-33238 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
CVE-2026-33319 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources Moderate
CVE-2026-33294 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
offset Credited to offset
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
offset Credited to offset
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
offset Credited to offset
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel Moderate
GHSA-xgx4-2wgv-4jhm was published for @pdfme/schemas (npm) Mar 20, 2026
offset Credited to offset
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled Moderate
GHSA-pgx6-7jcq-2qff was published for @pdfme/common (npm) Mar 20, 2026
offset Credited to offset
Parse Server has a protected field change detection oracle via LiveQuery watch parameter Moderate
CVE-2026-33429 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database