Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,212
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,494
Pub
12
RubyGems
995
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read Moderate
GHSA-wr4h-v87w-p3r7 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields High
CVE-2026-33128 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Moderate
GHSA-v3mg-9v85-fcm7 was published for siyuan (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Moderate
CVE-2026-32751 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Moderate
GHSA-xp2m-98x8-rpj6 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
Parse Server has a SQL injection via query field name when using PostgreSQL Moderate
CVE-2026-32234 was published for parse-server (npm) Mar 12, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server vulnerable to user enumeration via email verification endpoint Moderate
CVE-2026-31901 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server's MFA recovery codes not consumed after use High
CVE-2026-31875 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) Moderate
GHSA-v8w9-8mx6-g223 was published for hono (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction Moderate
CVE-2026-31828 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via logical query operators High
CVE-2026-30962 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints High
CVE-2026-30941 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS Moderate
CVE-2026-31809 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS Moderate
CVE-2026-31807 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement Moderate
CVE-2026-30938 was published for parse-server (npm) Mar 10, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database