Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint Moderate
CVE-2026-33638 was published for github.com/lin-snow/ech0 (Go) Mar 24, 2026
QiaoNPC Credited to QiaoNPC
Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation Moderate
GHSA-xw6w-9jjh-p9cr was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
Scriban: Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToString Moderate
GHSA-m2p3-hwv5-xpqw was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException High
GHSA-xcx6-vp38-8hr5 was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
Scriban: Uncontrolled Memory Allocation via string.pad_left/pad_right Allows Remote Denial of Service High
GHSA-v66j-x4hw-fv9g was published for Scriban (NuGet) Mar 24, 2026
restriction Credited to restriction
Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service High
GHSA-c875-h985-hvrc was published for scriban (NuGet) Mar 24, 2026
Zwique Credited to Zwique
Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse Critical
GHSA-5wr9-m6jw-xx44 was published for scriban (NuGet) Mar 24, 2026
Zwique Credited to Zwique
Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset() High
GHSA-x6m9-38vm-2xhf was published for scriban (NuGet) Mar 24, 2026
Zwique Credited to Zwique
Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix High
GHSA-p6q4-fgr8-vx4p was published for Scriban (NuGet) Mar 24, 2026
pawlos Credited to pawlos
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching Moderate
CVE-2026-33248 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers Moderate
CVE-2026-33246 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing Moderate
CVE-2026-33223 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS JetStream has an authorization bypass through its Management API Moderate
CVE-2026-33222 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to pre-auth DoS through WebSockets client service Moderate
CVE-2026-33219 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS has pre-auth server panic via leafnode handling High
CVE-2026-33218 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS allows MQTT clients to bypass ACL checks High
CVE-2026-33217 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS has MQTT plaintext password disclosure High
CVE-2026-33216 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS is vulnerable to MQTT hijacking via Client ID Moderate
CVE-2026-33215 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS Server panic via malicious compression on leafnode port High
CVE-2026-29785 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
NATS credentials are exposed in monitoring port via command-line argv High
CVE-2026-33247 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
NATS: Message tracing can be redirected to arbitrary subject Moderate
CVE-2026-33249 was published for github.com/nats-io/nats-server/v2 (Go) Mar 24, 2026
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token Moderate
CVE-2026-33621 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database