GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,772 advisories
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Critical
CVE-2026-32136
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Mar 12, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
xygeni-action v5 tag poisoned with C2 backdoor
Critical
CVE-2026-31976
was published
for
xygeni/xygeni-action
(GitHub Actions)
Mar 11, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go
Critical
GHSA-j443-wcqq-xprh
was published
for
github.com/arslanbekov/terraform-provider-sendgrid
(Go)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Critical
CVE-2026-31862
was published
for
@siteboon/claudecodeui
(npm)
Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Critical
CVE-2026-30965
was published
for
parse-server
(npm)
Mar 11, 2026
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Critical
CVE-2026-29793
was published
for
@feathersjs/mongodb
(npm)
Mar 10, 2026
Feathers has an OAuth Callback Account Takeover issue
Critical
CVE-2026-29792
was published
for
@feathersjs/authentication-oauth
(npm)
Mar 10, 2026
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
Critical
CVE-2026-27825
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Critical
CVE-2026-28292
was published
for
simple-git
(npm)
Mar 10, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface
Critical
CVE-2026-30960
was published
for
rssn
(Rust)
Mar 10, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints
Critical
GHSA-xv8g-fj9h-6gmv
was published
for
github.com/shi-gg/linkdave
(Go)
Mar 10, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Critical
CVE-2026-30863
was published
for
parse-server
(npm)
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API