Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
Vikunja read-only users can delete project background images via broken object-level authorization Moderate
CVE-2026-33312 was published for code.vikunja.io/api (Go) Mar 20, 2026
tar-rs `unpack_in` can chmod arbitrary directories by following symlinks Moderate
CVE-2026-33056 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium
tar-rs incorrectly ignores PAX size headers if header size is nonzero Moderate
CVE-2026-33055 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium and woodruffw woodruffw woodruffw
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names Critical
CVE-2026-33286 was published for graphiti (RubyGems) Mar 20, 2026
doublevoid Credited to doublevoid and simonrand simonrand simonrand
pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root High
CVE-2026-32711 was published for pydicom (pip) Mar 20, 2026
jh4nks Credited to jh4nks
Qwik City has array method pollution in FormData processing allows type confusion and DoS High
CVE-2026-32701 was published for @builder.io/qwik-city (npm) Mar 20, 2026
Y4tacker Credited to Y4tacker
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Moderate
CVE-2026-32595 was published for github.com/traefik/traefik (Go) Mar 20, 2026
f1veT Credited to f1veT
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config High
CVE-2026-32305 was published for github.com/traefik/traefik (Go) Mar 20, 2026
InfinityHub123 Credited to InfinityHub123
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-x49q-fhhm-r9jf was published for openclaw (npm) Mar 20, 2026 withdrawn
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers Moderate
CVE-2026-29794 was published for code.vikunja.io/api (Go) Mar 20, 2026
alp1n3-dev Credited to alp1n3-dev
Spring Framework Improper Path Limitation with Script View Templates Moderate
CVE-2026-22737 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
Spring MVC and WebFlux has Server Sent Event stream corruption Low
CVE-2026-22735 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
Spring Security HTTP Headers Are not Written Under Some Conditions Critical
CVE-2026-22732 was published for org.springframework.security:spring-security-web (Maven) Mar 20, 2026
ingress-nginx comment-based nginx configuration injection High
CVE-2026-4342 was published for k8s.io/ingress-nginx (Go) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints High
CVE-2026-22733 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator Health groups paths High
CVE-2026-22731 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Scriban Affected by Memory Exhaustion (OOM) via Unbounded String Generation (Denial of Service) Moderate
GHSA-5rpf-x9jg-8j5p was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-grr9-747v-xvcp was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-wgh7-7m3c-fx25 was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI Moderate
CVE-2026-4267 was published for johnbillion/query-monitor (Composer) Mar 19, 2026
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php` High
CVE-2026-33354 was published for wwbn/avideo (Composer) Mar 19, 2026
gr00ve3 Credited to gr00ve3
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database