Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,531
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,289 advisories

Loading
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e` Moderate
GHSA-72gr-qfp7-vwhw was published for h3 (npm) Mar 20, 2026
offset Credited to offset
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Parse Server has a protected field change detection oracle via LiveQuery watch parameter Moderate
CVE-2026-33429 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled Moderate
GHSA-pgx6-7jcq-2qff was published for @pdfme/common (npm) Mar 20, 2026
offset Credited to offset
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel Moderate
GHSA-xgx4-2wgv-4jhm was published for @pdfme/schemas (npm) Mar 20, 2026
offset Credited to offset
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
offset Credited to offset
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize() High
CVE-2026-33418 was published for @dicebear/converter (npm) Mar 20, 2026
offset Credited to offset
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC High
CVE-2026-32887 was published for effect (npm) Mar 20, 2026
jamesone Credited to jamesone
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify High
CVE-2026-33331 was published for @orpc/openapi (npm) Mar 20, 2026
abhayclasher Credited to abhayclasher
Qwik City has array method pollution in FormData processing allows type confusion and DoS High
CVE-2026-32701 was published for @builder.io/qwik-city (npm) Mar 20, 2026
Y4tacker Credited to Y4tacker
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-x49q-fhhm-r9jf was published for openclaw (npm) Mar 20, 2026 withdrawn
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
offset Credited to offset
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) Moderate
CVE-2026-33326 was published for @keystone-6/core (npm) Mar 19, 2026
n0wsh Credited to n0wsh
Parse Server email verification resend page leaks user existence Moderate
CVE-2026-33323 was published for parse-server (npm) Mar 19, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
offset Credited to offset
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File High
CVE-2026-33068 was published for @anthropic-ai/claude-code (npm) Mar 19, 2026
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database