GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27,354 advisories
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
Moderate
CVE-2026-33060
was published
for
@aborruso/ckan-mcp-server
(npm)
Mar 18, 2026
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
High
CVE-2026-32763
was published
for
kysely
(npm)
Mar 18, 2026
File Browser has an Authorization Policy Bypass in Public Share Download Flow
Moderate
CVE-2026-32761
was published
for
https://github.com/filebrowser/filebrowser
(Go)
Mar 18, 2026
Langflow is Missing Ownership Verification in API Key Deletion (IDOR)
High
CVE-2026-33053
was published
for
langflow
(pip)
Mar 18, 2026
Craft CMS Vulnerable to Stored XSS in Revision Context Menu
Moderate
CVE-2026-33051
was published
for
craftcms/cms
(Composer)
Mar 18, 2026
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
High
CVE-2026-33039
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
music-metadata has an infinite loop vulnerability in ASF parser
High
CVE-2026-32256
was published
for
music-metadata
(npm)
Mar 17, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
High
CVE-2026-33043
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Parse Server affected by empty authData bypassing credential requirement on signup
Moderate
CVE-2026-33042
was published
for
parse-server
(npm)
Mar 17, 2026
astral-tokio-tar insufficiently validates PAX extensions during extraction
Low
CVE-2026-32766
was published
for
astral-tokio-tar
(Rust)
Mar 17, 2026
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
Moderate
CVE-2026-33041
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
High
CVE-2026-33038
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Moderate
CVE-2026-33022
was published
for
github.com/tektoncd/pipeline
(Go)
Mar 17, 2026
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
High
CVE-2026-33036
was published
for
fast-xml-parser
(npm)
Mar 17, 2026
Nest Fastify HEAD Request Middleware Bypass
High
CVE-2026-33011
was published
for
@nestjs/platform-fastify
(npm)
Mar 17, 2026
ProTip!
Advisories are also available from the
GraphQL API