GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
9,571 advisories
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
High
CVE-2026-33039
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
music-metadata has an infinite loop vulnerability in ASF parser
High
CVE-2026-32256
was published
for
music-metadata
(npm)
Mar 17, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
High
CVE-2026-33043
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
High
CVE-2026-33038
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
High
CVE-2026-33036
was published
for
fast-xml-parser
(npm)
Mar 17, 2026
Nest Fastify HEAD Request Middleware Bypass
High
CVE-2026-33011
was published
for
@nestjs/platform-fastify
(npm)
Mar 17, 2026
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
High
CVE-2026-32886
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server crash via deeply nested query condition operators
High
GHSA-9xp9-j92r-p88v
was published
for
parse-server
(npm)
Mar 17, 2026
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
High
CVE-2026-32254
was published
for
github.com/cloudnativelabs/kube-router/v2
(Go)
Mar 17, 2026
jsPDF has a PDF Object Injection via FreeText color
High
CVE-2026-31898
was published
for
jspdf
(npm)
Mar 17, 2026
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
High
CVE-2026-31891
was published
for
cockpit-hq/cockpit
(Composer)
Mar 17, 2026
Denial of Service in pyasn1 via Unbounded Recursion
High
CVE-2026-30922
was published
for
pyasn1
(pip)
Mar 17, 2026
Uncontrolled recursion DoS in JustHTML() via deeply nested HTML
High
GHSA-v7cf-c9rm-wm3j
was published
for
justhtml
(pip)
Mar 17, 2026
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
High
CVE-2026-32813
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
File Upload(RCE) Vulnerability in admidio
High
CVE-2026-32756
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Loop with Unreachable Exit Condition ('Infinite Loop') in ewe
High
GHSA-4w98-xf39-23gp
was published
for
ewe
(Erlang)
Mar 16, 2026
lz4_flex's decompression can leak information from uninitialized memory or reused output buffer
High
GHSA-vvp9-7p8x-rfvv
was published
for
lz4_flex
(Rust)
Mar 16, 2026
Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
High
CVE-2026-32769
was published
for
github.com/ctfer-io/fullchain
(Go)
Mar 16, 2026
Romeo is vulnerable to Archive Slip due to missing checks in sanitization
High
CVE-2026-32805
was published
for
github.com/ctfer-io/romeo/webserver
(Go)
Mar 16, 2026
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
High
CVE-2026-32771
was published
for
github.com/ctfer-io/monitoring
(Go)
Mar 16, 2026
Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace
High
CVE-2026-32737
was published
for
github.com/ctfer-io/romeo/environment/deploy
(Go)
Mar 16, 2026
Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace
High
CVE-2026-32768
was published
for
github.com/ctfer-io/chall-manager/deploy
(Go)
Mar 16, 2026
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection
High
GHSA-g2f6-pwvx-r275
was published
for
openclaw
(npm)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API