Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,007 advisories

Loading
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
GHSA-4j36-39gm-8vq8 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
x402 SDK Security Advisory High
GHSA-qr2g-p6q7-w82m was published for @x402/svm (Go) Mar 7, 2026
Shescape has possible misidentification of shell due to link chains Low
GHSA-6f6w-6j58-rq76 was published for shescape (npm) Mar 7, 2026
FUXA has a hardcoded fallback JWT signing secret High
GHSA-c8m8-3jcr-6rj5 was published for @frangoteam/fuxa (npm) Mar 7, 2026
blankshiro Credited to blankshiro
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE Critical
GHSA-h343-gg57-2q67 was published for @oneuptime/common (npm) Mar 7, 2026
hunterxsirago1 Credited to hunterxsirago1
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` Moderate
GHSA-q6wc-xx4m-92fj was published for @powersync/service-core (npm) Mar 7, 2026
parse-server: Malformed `$regex` query leaks database error details in API response Moderate
CVE-2026-30835 was published for parse-server (npm) Mar 6, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Flowise Missing Authentication on NVIDIA NIM Endpoints High
CVE-2026-30824 was published for flowise (npm) Mar 6, 2026
tenbbughunters Credited to tenbbughunters
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration High
CVE-2026-30823 was published for flowise (npm) Mar 6, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint High
CVE-2026-30822 was published for flowise (npm) Mar 6, 2026
yueyueL Credited to yueyueL
Flowise has Arbitrary File Upload via MIME Spoofing High
CVE-2026-30821 was published for flowise (npm) Mar 6, 2026
im-soohyun Credited to im-soohyun
Flowise has Authorization Bypass via Spoofed x-request-from Header High
CVE-2026-30820 was published for flowise (npm) Mar 6, 2026
N3mes1s Credited to N3mes1s
Mercurius's queryDepth limit bypassed for WebSocket subscriptions Low
CVE-2026-30241 was published for mercurius (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet and mcollina mcollina mcollina
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user High
CVE-2026-30229 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction Moderate
CVE-2026-30228 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens Moderate
GHSA-9r75-g2cr-3h76 was published for @workflow/core (npm) Mar 6, 2026
pranaygp Credited to pranaygp, andresriancho, and TooTallNate andresriancho andresriancho
TooTallNate TooTallNate
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag Low
CVE-2026-30830 was published for defuddle (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network High
CVE-2026-30827 was published for express-rate-limit (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution High
CVE-2026-29783 was published for @github/copilot (npm) Mar 6, 2026
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint Moderate
GHSA-jc5m-wrp2-qq38 was published for flowise (npm) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
Flowise has Insufficient Password Salt Rounds Moderate
GHSA-x2g5-fvc2-gqvp was published for flowise (npm) Mar 5, 2026
kolega-ai-dev Credited to kolega-ai-dev
@perfood/couch-auth has a host header injection vulnerability Moderate
CVE-2025-70948 was published for @perfood/couch-auth (npm) Mar 5, 2026
@perfood/couch-auth has an Observable Timing Discrepancy High
CVE-2025-70949 was published for @perfood/couch-auth (npm) Mar 5, 2026
Fonoster is vulnerable to directory traversal Moderate
CVE-2024-43035 was published for @fonoster/voice (npm) Mar 5, 2026
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Moderate
CVE-2026-3419 was published for fastify (npm) Mar 5, 2026
TarPeg007 Credited to TarPeg007, jsumners, mcollina, and UlisesGascon jsumners jsumners
mcollina mcollina UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database