Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,474 advisories

Loading
Ella Core panics on malformed NGAP Location Report High
CVE-2026-33282 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
Ella Core panics on invalid PDU Session IDs in NGAP messages Moderate
CVE-2026-33281 was published for github.com/ellanetworks/core (Go) Mar 19, 2026
p1-aji Credited to p1-aji
Intake has a Command Injection via shell() Expansion in Parameter Defaults High
CVE-2026-33310 was published for intake (pip) Mar 19, 2026
redyank Credited to redyank
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets Moderate
CVE-2026-32694 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
Juju has unauthorized access to out-of-scope Kubernetes secrets High
CVE-2026-32693 was published for github.com/juju/juju (Go) Mar 19, 2026
dimaqq Credited to dimaqq, hpidcock, and wallyworld hpidcock hpidcock
wallyworld wallyworld
Juju has unauthorized update of out-of-scope Vault secrets High
CVE-2026-32692 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
Denial of service via non-terminating SYLT frame parsing loop in tinytag Moderate
CVE-2026-32889 was published for tinytag (pip) Mar 19, 2026
kq5y Credited to kq5y
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php Low
CVE-2026-33296 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php High
CVE-2026-33295 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources Moderate
CVE-2026-33294 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter High
CVE-2026-33293 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos High
CVE-2026-33292 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Cross-Site Tool Execution for HTTP Servers without Authorizatrion in github.com/modelcontextprotocol/go-sdk High
CVE-2026-33252 was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
aleister1102 Credited to aleister1102
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack High
CVE-2026-32935 was published for phpseclib/phpseclib (Composer) Mar 19, 2026
qui CORS Misconfiguration: Arbitrary Origins Trusted Critical
CVE-2026-30924 was published for github.com/autobrr/qui (Go) Mar 19, 2026
ppfeister Credited to ppfeister and s0up4200 s0up4200 s0up4200
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) Critical
CVE-2026-30836 was published for github.com/smallstep/certificates (Go) Mar 19, 2026
PrasanthSundararajan69 Credited to PrasanthSundararajan69
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor High
CVE-2026-27953 was published for ormar (pip) Mar 19, 2026
Mistz1 Credited to Mistz1
pgproto3: Negative field length panics in DataRow.Decode High
CVE-2026-4427 was published for github.com/jackc/pgproto3/v2 (Go) Mar 19, 2026
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service Moderate
CVE-2026-33320 was published for github.com/tomwright/dasel/v3 (Go) Mar 19, 2026
kq5y Credited to kq5y
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint Moderate
GHSA-5x2w-37xf-7962 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Ruby JSON has a format string injection vulnerability High
CVE-2026-33210 was published for json (RubyGems) Mar 19, 2026
DavidKorczynski Credited to DavidKorczynski
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database