Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution Moderate
CVE-2026-33623 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems Moderate
CVE-2026-33620 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl Moderate
CVE-2026-33619 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands Moderate
CVE-2026-29772 was published for @astrojs/node (npm) Mar 24, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
MobSF has SQL Injection in its SQLite Database Viewer Utils Moderate
CVE-2026-33545 was published for mobsf (pip) Mar 24, 2026
djvirus9 Credited to djvirus9
JustHTML is vulnerable to XSS via code fence breakout in <pre> content High
GHSA-5vp3-3cg6-2rq3 was published for justhtml (pip) Mar 24, 2026
AlfinJ0se Credited to AlfinJ0se
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
GHSA-7789-65hx-f26w was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing High
GHSA-g3qj-j598-cxmq was published for fido2-lib (npm) Mar 24, 2026
Xvush Credited to Xvush and JamesCullum JamesCullum JamesCullum
Trivy ecosystem supply chain was briefly compromised Critical
CVE-2026-33634 was published for aquasecurity/setup-trivy (GitHub Actions) Mar 24, 2026
Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions Moderate
CVE-2026-33162 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users Low
CVE-2026-33161 was published for craftcms/cms (Composer) Mar 24, 2026
Susen2 Credited to Susen2
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL Low
CVE-2026-33160 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations Moderate
CVE-2026-33159 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) Moderate
CVE-2026-33158 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior High
CVE-2026-33157 was published for craftcms/cms (Composer) Mar 24, 2026
yuma4869 Credited to yuma4869
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API High
CVE-2026-30932 was published for froxlor/froxlor (Composer) Mar 24, 2026
q1uf3ng Credited to q1uf3ng
GoDoxy has a Path Traversal Vulnerability in its File API Moderate
CVE-2026-33528 was published for github.com/yusing/godoxy (Go) Mar 24, 2026
ormzro Credited to ormzro
Parse Server's Session Update endpoint allows overwriting server-generated session fields Moderate
CVE-2026-33527 was published for parse-server (npm) Mar 24, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting Low
CVE-2026-33525 was published for github.com/authelia/authelia/v4 (Go) Mar 24, 2026
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows Moderate
CVE-2026-32948 was published for org.scala-sbt:sbt (Maven) Mar 24, 2026
anatoliykmetyuk Credited to anatoliykmetyuk and eed3si9n eed3si9n eed3si9n
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation Moderate
GHSA-fp4x-ggrf-wmc6 was published for h3 (npm) Mar 23, 2026
restriction Credited to restriction
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database