GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,771 advisories
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Critical
CVE-2026-32136
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Mar 12, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
xygeni-action v5 tag poisoned with C2 backdoor
Critical
CVE-2026-31976
was published
for
xygeni/xygeni-action
(GitHub Actions)
Mar 11, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Critical
CVE-2026-31862
was published
for
@siteboon/claudecodeui
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
n8n Vulnerable to Remote Code Execution via Expression Injection
Critical
CVE-2025-68613
was published
for
n8n
(npm)
Dec 22, 2025
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go
Critical
GHSA-j443-wcqq-xprh
was published
for
github.com/arslanbekov/terraform-provider-sendgrid
(Go)
Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Critical
CVE-2026-30965
was published
for
parse-server
(npm)
Mar 11, 2026
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Critical
CVE-2026-29793
was published
for
@feathersjs/mongodb
(npm)
Mar 10, 2026
Feathers has an OAuth Callback Account Takeover issue
Critical
CVE-2026-29792
was published
for
@feathersjs/authentication-oauth
(npm)
Mar 10, 2026
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Critical
CVE-2026-28446
was published
for
openclaw
(npm)
Feb 17, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints
Critical
GHSA-xv8g-fj9h-6gmv
was published
for
github.com/shi-gg/linkdave
(Go)
Mar 10, 2026
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
Critical
CVE-2026-27825
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
ProTip!
Advisories are also available from the
GraphQL API