Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,212
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,494
Pub
12
RubyGems
995
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,190 advisories

Loading
socket.io allows an unbounded number of binary attachments High
CVE-2026-33151 was published for socket.io-parser (npm) Mar 18, 2026
x4cc3 Credited to x4cc3 and darrachequesne darrachequesne darrachequesne
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters High
CVE-2026-33142 was published for oneuptime (npm) Mar 18, 2026
vnykmshr Credited to vnykmshr
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read Moderate
GHSA-wr4h-v87w-p3r7 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
h3 has a middleware bypass with one gadget High
CVE-2026-33131 was published for h3 (npm) Mar 18, 2026
hibwyli Credited to hibwyli
h3 has an observable timing discrepancy in basic auth utils Moderate
CVE-2026-33129 was published for h3 (npm) Mar 18, 2026
simonkoeck Credited to simonkoeck
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields High
CVE-2026-33128 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas Moderate
GHSA-87v3-4cfp-cm76 was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas Moderate
GHSA-qq9g-96v4-m3cj was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing) High
GHSA-8mpm-q7mh-8fvh was published for @capgo/cli (npm) Mar 18, 2026
Judel777 Credited to Judel777
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks Moderate
CVE-2026-33060 was published for @aborruso/ckan-mcp-server (npm) Mar 18, 2026
abcgco Credited to abcgco
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. High
CVE-2026-32763 was published for kysely (npm) Mar 18, 2026
EthanKim88 Credited to EthanKim88 and igalklebanov igalklebanov igalklebanov
music-metadata has an infinite loop vulnerability in ASF parser High
CVE-2026-32256 was published for music-metadata (npm) Mar 17, 2026
ByamB4 Credited to ByamB4
Parse Server affected by empty authData bypassing credential requirement on signup Moderate
CVE-2026-33042 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) High
CVE-2026-33036 was published for fast-xml-parser (npm) Mar 17, 2026
deprrous Credited to deprrous
Nest Fastify HEAD Request Middleware Bypass High
CVE-2026-33011 was published for @nestjs/platform-fastify (npm) Mar 17, 2026
kamilmysliwiec Credited to kamilmysliwiec
Parse Server LiveQuery subscription with invalid regular expression crashes server Moderate
CVE-2026-32770 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server session creation endpoint allows overwriting server-generated session fields Moderate
CVE-2026-32742 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server's Cloud function dispatch crashes server via prototype chain traversal High
CVE-2026-32886 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server has a password reset token single-use bypass via concurrent requests Low
GHSA-r3xq-68wh-gwvh was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server crash via deeply nested query condition operators High
GHSA-9xp9-j92r-p88v was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
jsPDF has HTML Injection in New Window paths Critical
CVE-2026-31938 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
jsPDF has a PDF Object Injection via FreeText color High
CVE-2026-31898 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database