GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
332 advisories
Filter by severity
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Moderate
CVE-2026-52820
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
Moderate
CVE-2026-52819
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
Moderate
CVE-2026-52772
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API
Moderate
GHSA-q4rm-m6xh-5pv7
was published
for
froxlor/froxlor
(Composer)
Jul 2, 2026
Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
High
CVE-2026-50284
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries
Low
GHSA-6c87-g9pw-78fx
was published
for
github.com/edgelesssys/contrast
(Go)
Jul 1, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Moderate
CVE-2026-41262
was published
for
github.com/fleetdm/fleet/v4
(Go)
Jun 26, 2026
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration
Low
CVE-2026-48709
was published
for
github.com/OliveTin/OliveTin
(Go)
Jun 24, 2026
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Moderate
CVE-2026-50179
was published
for
@actual-app/web
(npm)
Jun 22, 2026
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
High
CVE-2026-54351
was published
for
@budibase/server
(npm)
Jun 22, 2026
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
Moderate
CVE-2026-46700
was published
for
@actual-app/sync-server
(npm)
Jun 22, 2026
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper
Moderate
CVE-2026-46672
was published
for
@actual-app/cli
(npm)
Jun 22, 2026
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
Moderate
CVE-2026-33731
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Moderate
CVE-2026-33684
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Low
GHSA-97pr-9hgg-3p8r
was published
for
parse-server
(npm)
Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Moderate
CVE-2026-55847
was published
for
io.qameta.allure:allure-generator
(Maven)
Jun 19, 2026
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
Moderate
CVE-2026-55846
was published
for
io.qameta.allure:allure-commandline
(Maven)
Jun 19, 2026
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Moderate
CVE-2026-53726
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Moderate
CVE-2026-53725
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Server option routeAllowList is bypassable through batch sub-requests
Moderate
CVE-2026-50008
was published
for
parse-server
(npm)
Jun 19, 2026
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
Low
GHSA-vxr8-fq34-vvx9
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Moderate
GHSA-76mc-f452-cxcm
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
Moderate
CVE-2026-49458
was published
for
dompurify
(npm)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API