Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

11,864 advisories

Loading
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
GHSA-6w2r-cfpc-23r5 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` Moderate
GHSA-q6wc-xx4m-92fj was published for @powersync/service-core (npm) Mar 7, 2026
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR) Moderate
GHSA-5q8v-j673-m5v4 was published for grumpydictator/firefly-iii (Composer) Mar 7, 2026
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection Moderate
CVE-2026-30856 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Caddy's vars_regexp double-expands user input, leaking env vars and files Moderate
CVE-2026-30852 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp (Go) Mar 6, 2026
sammiee5311 Credited to sammiee5311
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
parse-server: Malformed `$regex` query leaks database error details in API response Moderate
CVE-2026-30835 was published for parse-server (npm) Mar 6, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction Moderate
CVE-2026-30228 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens Moderate
GHSA-9r75-g2cr-3h76 was published for @workflow/core (npm) Mar 6, 2026
pranaygp Credited to pranaygp, andresriancho, and TooTallNate andresriancho andresriancho
TooTallNate TooTallNate
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint Moderate
GHSA-jc5m-wrp2-qq38 was published for flowise (npm) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
Flowise has Insufficient Password Salt Rounds Moderate
GHSA-x2g5-fvc2-gqvp was published for flowise (npm) Mar 5, 2026
kolega-ai-dev Credited to kolega-ai-dev
MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery Moderate
CVE-2026-30227 was published for MimeKit (NuGet) Mar 5, 2026
KC1zs4 Credited to KC1zs4
WeKnora is Vulnerable to SSRF via Redirection Moderate
CVE-2026-30247 was published for github.com/Tencent/WeKnora (Go) Mar 5, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint Moderate
CVE-2026-29787 was published for mcp-memory-service (pip) Mar 5, 2026
yotampe-pluto Credited to yotampe-pluto
@perfood/couch-auth has a host header injection vulnerability Moderate
CVE-2025-70948 was published for @perfood/couch-auth (npm) Mar 5, 2026
Fonoster is vulnerable to directory traversal Moderate
CVE-2024-43035 was published for @fonoster/voice (npm) Mar 5, 2026
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Moderate
CVE-2026-3419 was published for fastify (npm) Mar 5, 2026
TarPeg007 Credited to TarPeg007, jsumners, mcollina, and UlisesGascon jsumners jsumners
mcollina mcollina UlisesGascon UlisesGascon
OliveTin doesn't check view permission when returning dashboards Moderate
CVE-2026-30233 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface Moderate
GHSA-7rhv-h82h-vpjh was published for ec-cube/ec-cube (Composer) Mar 5, 2026
OliveTin has crash on NPE by calling APIs with invalid bindings or log references Moderate
GHSA-fwhj-785h-43hh was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
maru1009 Credited to maru1009
OliveTin's RestartAction always runs actions as guest Moderate
CVE-2026-30225 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session Moderate
CVE-2026-30224 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
stellar-xdr's StringM::from_str bypasses max length validation Moderate
CVE-2026-29795 was published for stellar-xdr (Rust) Mar 5, 2026
leighmcculloch Credited to leighmcculloch
Gokapi has CSRF in Login Endpoint Moderate
CVE-2026-29084 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu and Forceu Forceu Forceu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database