GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,806 advisories
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
Critical
CVE-2026-32013
was published
for
openclaw
(npm)
Mar 2, 2026
Statamic is vulnerable to account takeover via password reset link injection
Critical
CVE-2026-27593
was published
for
statamic/cms
(Composer)
Feb 24, 2026
jsPDF has HTML Injection in New Window paths
Critical
CVE-2026-31938
was published
for
jspdf
(npm)
Mar 17, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Critical
CVE-2026-25534
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts
(Maven)
Mar 16, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
Critical
CVE-2026-33352
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
MinIO has JWT Algorithm Confusion in OIDC Authentication
Critical
CVE-2026-33322
was published
for
github.com/minio/minio
(Go)
Mar 19, 2026
Langflow has an Arbitrary File Write (RCE) via v2 API
Critical
CVE-2026-33309
was published
for
langflow
(pip)
Mar 19, 2026
qui CORS Misconfiguration: Arbitrary Origins Trusted
Critical
CVE-2026-30924
was published
for
github.com/autobrr/qui
(Go)
Mar 19, 2026
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Critical
CVE-2026-30836
was published
for
github.com/smallstep/certificates
(Go)
Mar 19, 2026
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Critical
GHSA-wvr4-3wq4-gpc5
was published
for
mcp-bridge
(npm)
Mar 19, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)
Critical
CVE-2026-32940
was published
for
github.com/siyuan-note/siyuan
(Go)
Mar 17, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
Critical
CVE-2026-32938
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 17, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API