Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

49 advisories

Loading
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records High
GHSA-wprj-9cvc-5w37 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter High
CVE-2026-33723 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment High
CVE-2026-33719 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name High
CVE-2026-33681 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() High
CVE-2026-33651 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion High
CVE-2026-33650 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification High
CVE-2026-33649 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path High
CVE-2026-33648 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload High
CVE-2026-33647 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException High
GHSA-xcx6-vp38-8hr5 was published for Scriban (NuGet) Mar 24, 2026
offset Credited to offset
Scriban: Uncontrolled Memory Allocation via string.pad_left/pad_right Allows Remote Denial of Service High
GHSA-v66j-x4hw-fv9g was published for Scriban (NuGet) Mar 24, 2026
offset Credited to offset
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
offset Credited to offset
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload High
CVE-2026-33507 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter High
CVE-2026-33493 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin High
CVE-2026-33488 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database