GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27,653 advisories
MinIO LDAP login brute-force via user enumeration and missing rate limit
Critical
CVE-2026-33419
was published
for
github.com/minio/minio
(Go)
Mar 20, 2026
langflow has Unauthenticated IDOR on Image Downloads
High
CVE-2026-33484
was published
for
langflow
(pip)
Mar 20, 2026
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
High
CVE-2026-33483
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
High
CVE-2026-33482
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
Syft improper temporary file cleanup
Moderate
CVE-2026-33481
was published
for
github.com/anchore/syft
(Go)
Mar 20, 2026
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
Moderate
CVE-2026-33429
was published
for
parse-server
(npm)
Mar 20, 2026
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled
Moderate
GHSA-pgx6-7jcq-2qff
was published
for
@pdfme/common
(npm)
Mar 20, 2026
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel
Moderate
GHSA-xgx4-2wgv-4jhm
was published
for
@pdfme/schemas
(npm)
Mar 20, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
Moderate
GHSA-vrqm-gvq7-rrwh
was published
for
@pdfme/pdf-lib
(npm)
Mar 20, 2026
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
High
CVE-2026-33421
was published
for
parse-server
(npm)
Mar 20, 2026
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
High
CVE-2026-33480
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
High
CVE-2026-33479
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
avideo/avideo
(Composer)
Mar 20, 2026
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
High
CVE-2026-33476
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 20, 2026
Vikunja Affected by DoS via Image Preview Generation
Moderate
CVE-2026-33474
was published
for
code.vikunja.io/api
(Go)
Mar 20, 2026
Vikunja has TOTP Reuse During Validity Window
Moderate
CVE-2026-33473
was published
for
code.vikunja.io/api
(Go)
Mar 20, 2026
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
High
CVE-2026-33418
was published
for
@dicebear/converter
(npm)
Mar 20, 2026
etcd: Nested etcd transactions bypass RBAC authorization checks
Low
CVE-2026-33343
was published
for
go.etcd.io/etcd
(Go)
Mar 20, 2026
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
High
CVE-2026-32887
was published
for
effect
(npm)
Mar 20, 2026
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify
High
CVE-2026-33331
was published
for
@orpc/openapi
(npm)
Mar 20, 2026
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
High
CVE-2026-33316
was published
for
code.vikunja.io/api
(Go)
Mar 20, 2026
Vikunja has a 2FA Bypass via Caldav Basic Auth
Moderate
CVE-2026-33315
was published
for
code.vikunja.io/api
(Go)
Mar 20, 2026
ProTip!
Advisories are also available from the
GraphQL API