Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP) High
GHSA-8fw8-q79c-fp9m was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
AVideo has an unauthenticated decrypt oracle leaking any ciphertext High
GHSA-mwjc-5j4x-r686 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
webpki has a certificate revocation enforcement bug Moderate
GHSA-pwjx-qhcg-rvj4 was published for rustls-webpki (Rust) Mar 20, 2026
1seal Credited to 1seal
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
restriction Credited to restriction
Parse Server LiveQuery subscription query depth bypass High
CVE-2026-33508 was published for parse-server (npm) Mar 20, 2026
mith36 Credited to mith36 and mtrezza mtrezza mtrezza
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload High
CVE-2026-33507 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow Critical
GHSA-f67f-hcr6-94mf was published for SHAdd0WTAka/Zen-Ai-Pentest (GitHub Actions) Mar 20, 2026
nekros1xx Credited to nekros1xx
DreamFactory has a directory traversal High
CVE-2025-55988 was published for dreamfactory/df-core (Composer) Mar 20, 2026
AVideo has Unauthenticated SSRF via plugin/Live/test.php Critical
CVE-2026-33502 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin Moderate
CVE-2026-33501 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading High
CVE-2026-33497 was published for langflow (pip) Mar 20, 2026
r00tuser111 Credited to r00tuser111, erichare, and AntonioABLima erichare erichare
AntonioABLima AntonioABLima
Ory Keto has a SQL injection via forged pagination tokens High
CVE-2026-33505 was published for github.com/ory/keto (Go) Mar 20, 2026
Ory Hydra has a SQL injection via forged pagination tokens High
CVE-2026-33504 was published for github.com/ory/hydra (Go) Mar 20, 2026
Ory Kratos has a SQL injection via forged pagination tokens High
CVE-2026-33503 was published for github.com/ory/kratos (Go) Mar 20, 2026
Ory Oathkeeper has a path traversal authorization bypass Critical
CVE-2026-33494 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by cache key confusion High
CVE-2026-33496 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e` Moderate
GHSA-72gr-qfp7-vwhw was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter High
CVE-2026-33493 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration High
CVE-2026-33492 was published for wwbn/avideo (Composer) Mar 20, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database