GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
105 advisories
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Moderate
GHSA-fpw4-p57j-hqmq
was published
for
@paperclipai/ui
(npm)
Apr 16, 2026
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server
Moderate
GHSA-p7mm-r948-4q3q
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Moderate
CVE-2026-40186
was published
for
sanitize-html
(npm)
Apr 16, 2026
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Moderate
CVE-2026-39857
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Moderate
CVE-2026-33889
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
Moderate
CVE-2026-33888
was published
for
apostrophe
(npm)
Apr 16, 2026
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Moderate
CVE-2026-40594
was published
for
pyload-ng
(pip)
Apr 16, 2026
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Moderate
GHSA-vmjj-qr7v-pxm6
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Moderate
GHSA-jvx4-xv3m-hrj4
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
Moderate
GHSA-8pv3-29pp-pf8f
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Moderate
GHSA-hg7g-56h5-5pqr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
Moderate
GHSA-8qm8-g55h-xmqr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
Moderate
GHSA-x2pw-9c38-cp2j
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
Moderate
GHSA-52hf-63q4-r926
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Moderate
GHSA-gpgp-w4x2-h3h7
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
Moderate
CVE-2026-33238
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
Moderate
CVE-2026-33237
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload
Moderate
GHSA-69hx-63pv-f8f4
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation
Moderate
GHSA-r2x7-427f-rq69
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Moderate
GHSA-w8jj-cwmc-wgq2
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
Moderate
GHSA-fwg7-53p4-g33c
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
Moderate
GHSA-hm2h-wwwh-g49x
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API