GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27 advisories
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
High
CVE-2026-33509
was published
for
pyload-ng
(pip)
Mar 20, 2026
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
High
CVE-2026-33507
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
High
CVE-2026-33493
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
High
CVE-2026-33488
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
High
CVE-2026-33468
was published
for
kysely
(npm)
Mar 20, 2026
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
High
CVE-2026-33442
was published
for
kysely
(npm)
Mar 20, 2026
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
High
CVE-2026-33483
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
High
CVE-2026-33482
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
High
CVE-2026-33421
was published
for
parse-server
(npm)
Mar 20, 2026
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
High
CVE-2026-33480
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
High
CVE-2026-33479
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
High
CVE-2026-33418
was published
for
@dicebear/converter
(npm)
Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData
High
CVE-2026-33409
was published
for
parse-server
(npm)
Mar 19, 2026
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
High
CVE-2026-33293
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
High
CVE-2026-33292
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
High
CVE-2026-32813
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
High
CVE-2026-32634
was published
for
Glances
(pip)
Mar 16, 2026
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
High
CVE-2026-32611
was published
for
Glances
(pip)
Mar 16, 2026
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
High
CVE-2026-32610
was published
for
Glances
(pip)
Mar 16, 2026
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
High
CVE-2026-32609
was published
for
Glances
(pip)
Mar 16, 2026
Glances has a Command Injection via Process Names in Action Command Templates
High
CVE-2026-32608
was published
for
Glances
(pip)
Mar 16, 2026
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")
High
CVE-2026-32308
was published
for
oneuptime
(npm)
Mar 13, 2026
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
High
CVE-2026-32101
was published
for
@studiocms/s3-storage
(npm)
Mar 12, 2026
Parse Server has a protected fields bypass via dot-notation in query and sort
High
CVE-2026-31872
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server missing audience validation in Keycloak authentication adapter
High
CVE-2026-30949
was published
for
parse-server
(npm)
Mar 11, 2026
ProTip!
Advisories are also available from the
GraphQL API