Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

141 advisories

Loading
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php Moderate
CVE-2026-39366 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level Moderate
GHSA-fcmh-qfxc-w685 was published for github.com/cloudnativelabs/kube-router/v2 (Go) Apr 8, 2026
offset Credited to offset
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass Moderate
CVE-2026-35592 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng Moderate
CVE-2026-35586 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser Moderate
CVE-2026-34211 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
offset Credited to offset
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber Low
CVE-2026-34762 was published for github.com/ellanetworks/core (Go) Apr 1, 2026
offset Credited to offset
Ella Core Panics Upon NGAP handover failure Moderate
CVE-2026-34761 was published for github.com/ellanetworks/core (Go) Apr 1, 2026
offset Credited to offset
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter Moderate
CVE-2026-34383 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
Admidio has Missing CSRF Protection on Registration Approval Actions Moderate
CVE-2026-34384 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing Moderate
CVE-2026-34360 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database