GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+
11,864 advisories
Filter by severity
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
GHSA-6w2r-cfpc-23r5
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`
Moderate
GHSA-q6wc-xx4m-92fj
was published
for
@powersync/service-core
(npm)
Mar 7, 2026
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Moderate
GHSA-5q8v-j673-m5v4
was published
for
grumpydictator/firefly-iii
(Composer)
Mar 7, 2026
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning
Moderate
CVE-2026-30857
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection
Moderate
CVE-2026-30856
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
Caddy's vars_regexp double-expands user input, leaking env vars and files
Moderate
CVE-2026-30852
was published
for
github.com/caddyserver/caddy/v2/modules/caddyhttp
(Go)
Mar 6, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names
Moderate
CVE-2026-30838
was published
for
league/commonmark
(Composer)
Mar 6, 2026
parse-server: Malformed `$regex` query leaks database error details in API response
Moderate
CVE-2026-30835
was published
for
parse-server
(npm)
Mar 6, 2026
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
Moderate
CVE-2026-30228
was published
for
parse-server
(npm)
Mar 6, 2026
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens
Moderate
GHSA-9r75-g2cr-3h76
was published
for
@workflow/core
(npm)
Mar 6, 2026
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Moderate
GHSA-jc5m-wrp2-qq38
was published
for
flowise
(npm)
Mar 5, 2026
Flowise has Insufficient Password Salt Rounds
Moderate
GHSA-x2g5-fvc2-gqvp
was published
for
flowise
(npm)
Mar 5, 2026
MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
Moderate
CVE-2026-30227
was published
for
MimeKit
(NuGet)
Mar 5, 2026
WeKnora is Vulnerable to SSRF via Redirection
Moderate
CVE-2026-30247
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 5, 2026
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint
Moderate
CVE-2026-29787
was published
for
mcp-memory-service
(pip)
Mar 5, 2026
@perfood/couch-auth has a host header injection vulnerability
Moderate
CVE-2025-70948
was published
for
@perfood/couch-auth
(npm)
Mar 5, 2026
Fonoster is vulnerable to directory traversal
Moderate
CVE-2024-43035
was published
for
@fonoster/voice
(npm)
Mar 5, 2026
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Moderate
CVE-2026-3419
was published
for
fastify
(npm)
Mar 5, 2026
OliveTin doesn't check view permission when returning dashboards
Moderate
CVE-2026-30233
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Moderate
GHSA-7rhv-h82h-vpjh
was published
for
ec-cube/ec-cube
(Composer)
Mar 5, 2026
OliveTin has crash on NPE by calling APIs with invalid bindings or log references
Moderate
GHSA-fwhj-785h-43hh
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
OliveTin's RestartAction always runs actions as guest
Moderate
CVE-2026-30225
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session
Moderate
CVE-2026-30224
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
stellar-xdr's StringM::from_str bypasses max length validation
Moderate
CVE-2026-29795
was published
for
stellar-xdr
(Rust)
Mar 5, 2026
Gokapi has CSRF in Login Endpoint
Moderate
CVE-2026-29084
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
ProTip!
Advisories are also available from the
GraphQL API