GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,802 advisories
qui CORS Misconfiguration: Arbitrary Origins Trusted
Critical
CVE-2026-30924
was published
for
github.com/autobrr/qui
(Go)
Mar 19, 2026
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Critical
CVE-2026-30836
was published
for
github.com/smallstep/certificates
(Go)
Mar 19, 2026
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Critical
GHSA-wvr4-3wq4-gpc5
was published
for
mcp-bridge
(npm)
Mar 19, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)
Critical
CVE-2026-32940
was published
for
github.com/siyuan-note/siyuan
(Go)
Mar 17, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
Critical
CVE-2026-32938
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 17, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Critical
CVE-2026-33211
was published
for
github.com/tektoncd/pipeline
(Go)
Mar 18, 2026
gRPC-Go has an authorization bypass via missing leading slash in :path
Critical
CVE-2026-33186
was published
for
google.golang.org/grpc
(Go)
Mar 18, 2026
HAPI FHIR HTTP authentication leak in redirects
Critical
CVE-2026-33180
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
(Maven)
Mar 18, 2026
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
Critical
CVE-2026-33057
was published
for
mesop
(pip)
Mar 18, 2026
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
Critical
CVE-2026-33054
was published
for
mesop
(pip)
Mar 18, 2026
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Critical
CVE-2026-32731
was published
for
@apostrophecms/import-export
(npm)
Mar 18, 2026
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests
Critical
CVE-2025-12543
was published
for
io.undertow:undertow-core
(Maven)
Jan 7, 2026
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
Critical
CVE-2024-23346
was published
for
pymatgen
(pip)
Feb 21, 2024
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
jsPDF has HTML Injection in New Window paths
Critical
CVE-2026-31938
was published
for
jspdf
(npm)
Mar 17, 2026
Authlib JWS JWK Header Injection: Signature Verification Bypass
Critical
CVE-2026-27962
was published
for
authlib
(pip)
Mar 16, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo/v6
(Go)
Mar 13, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API