Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,298
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,527
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,688 advisories

Loading
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil High
CVE-2026-33686 was published for code16/sharp (Composer) Mar 25, 2026
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules High
CVE-2026-33687 was published for code16/sharp (Composer) Mar 25, 2026
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation High
CVE-2026-33517 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() Moderate
CVE-2026-33690 was published for wwbn/avideo (Composer) Mar 25, 2026
ZeroXJacks Credited to ZeroXJacks
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php Moderate
GHSA-wxjx-r2j2-96fx was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint Moderate
CVE-2026-33688 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data Moderate
CVE-2026-33685 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field Moderate
CVE-2026-33683 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name High
CVE-2026-33681 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables High
CVE-2026-33673 was published for prestashop/prestashop (Composer) Mar 25, 2026
PrestaShop: Improper Use of Validation Framework Low
CVE-2026-33674 was published for prestashop/prestashop (Composer) Mar 25, 2026
SiYuan has directory traversal within its publishing service Critical
CVE-2026-33670 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 25, 2026
CongSec Credited to CongSec
SiYuan has Arbitrary Document Reading within the Publishing Service Critical
CVE-2026-33669 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 25, 2026
CongSec Credited to CongSec
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections Moderate
CVE-2026-3635 was published for fastify (npm) Mar 25, 2026
TinkAnet Credited to TinkAnet, climba03003, mcollina, and UlisesGascon climba03003 climba03003
mcollina mcollina UlisesGascon UlisesGascon
WeChat Pay callback signature verification bypassed when Host header is localhost High
CVE-2026-33661 was published for yansongda/pay (Composer) Mar 25, 2026
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() High
CVE-2026-33651 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion High
CVE-2026-33650 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification High
CVE-2026-33649 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path High
CVE-2026-33648 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload High
CVE-2026-33647 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash High
CVE-2026-33285 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling Low
GHSA-8g29-8xwr-qmhr was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server has a Missing Secure Flag on Session Cookie Low
GHSA-5j35-xr4g-vwf4 was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers Moderate
GHSA-3mjm-x6gw-2x42 was published for @grackle-ai/server (npm) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database