Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,230
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,504
Pub
12
RubyGems
996
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,411 advisories

Loading
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service Moderate
GHSA-4fcp-jxh7-23x8 was published for github.com/tomwright/dasel/v3 (Go) Mar 19, 2026
kq5y Credited to kq5y
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint Moderate
GHSA-5x2w-37xf-7962 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Ruby JSON has a format string injection vulnerability High
CVE-2026-33210 was published for json (RubyGems) Mar 19, 2026
DavidKorczynski Credited to DavidKorczynski
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
GHSA-w5ff-2mjc-4phc was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing High
CVE-2026-33241 was published for salvo (Rust) Mar 19, 2026
yshing Credited to yshing
Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass High
CVE-2026-33242 was published for salvo (Rust) Mar 19, 2026
tomasilluminati Credited to tomasilluminati
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration Moderate
CVE-2026-33238 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Juju affected by timing ownership claim attack on new external back-end secrets Moderate
CVE-2026-32691 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite High
CVE-2026-33236 was published for nltk (pip) Mar 19, 2026
Unauthenticated remote shutdown in nltk.app.wordnet_app High
CVE-2026-33231 was published for nltk (pip) Mar 19, 2026
leduckhuong Credited to leduckhuong
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File High
CVE-2026-33068 was published for @anthropic-ai/claude-code (npm) Mar 19, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk Moderate
CVE-2026-33230 was published for nltk (pip) Mar 18, 2026
leduckhuong Credited to leduckhuong
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview High
CVE-2026-33226 was published for budibase (npm) Mar 18, 2026
da7om85 Credited to da7om85
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod Critical
CVE-2026-33211 was published for github.com/tektoncd/pipeline (Go) Mar 18, 2026
1seal Credited to 1seal, vdemeester, afrittoli, and KoreaSecurity vdemeester vdemeester
afrittoli afrittoli KoreaSecurity KoreaSecurity
JustHTML has a Sanitizer Bypass (in Markdown) Moderate
GHSA-3rcm-vjrc-p45j was published for justhtml (pip) Mar 18, 2026
kejcao Credited to kejcao
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script) Moderate
GHSA-qvc2-mg72-jjhx was published for justhtml (pip) Mar 18, 2026
restriction Credited to restriction
Unsigned SAML LogoutRequest Acceptance in gosaml2 High
GHSA-pcgw-qcv5-h8ch was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
gosaml2 CBC Padding Panic — Unauthenticated Process Crash High
GHSA-hwqm-qvj9-4jr2 was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
validateSignature Loop Variable Capture Signature Bypass in goxmldsig High
GHSA-479m-364c-43vc was published for github.com/russellhaering/goxmldsig (Go) Mar 18, 2026
tomasilluminati Credited to tomasilluminati
Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS Moderate
GHSA-rf74-v2fm-23pw was published for nltk (pip) Mar 18, 2026
ZeroXJacks Credited to ZeroXJacks
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database