Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

52 advisories

Loading
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs High
CVE-2026-28425 was published for statamic/cms (Composer) Mar 1, 2026
Neosprings Credited to Neosprings and offset offset offset
Parse Server has a bypass of class-level permissions in LiveQuery High
CVE-2026-30947 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload High
CVE-2026-30948 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via dot-notation in query and sort High
CVE-2026-31872 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check High
CVE-2026-32101 was published for @studiocms/s3-storage (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
offset Credited to offset
Glances has a Command Injection via Process Names in Action Command Templates High
CVE-2026-32608 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials High
CVE-2026-32609 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft High
CVE-2026-32610 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements High
CVE-2026-32611 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers High
CVE-2026-32634 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) High
CVE-2026-32813 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Parse Server leaks protected fields via LiveQuery afterEvent trigger High
CVE-2026-33163 was published for parse-server (npm) Mar 18, 2026
mtrezza Credited to mtrezza and offset offset offset
AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos High
CVE-2026-33292 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter High
CVE-2026-33293 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize() High
CVE-2026-33418 was published for @dicebear/converter (npm) Mar 20, 2026
offset Credited to offset
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin High
CVE-2026-33479 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy High
CVE-2026-33480 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() High
CVE-2026-33482 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php High
CVE-2026-33483 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database