Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,583 advisories

Loading
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation Moderate
GHSA-fp4x-ggrf-wmc6 was published for h3 (npm) Mar 23, 2026
restriction Credited to restriction
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service Moderate
GHSA-q5pr-72pq-83v3 was published for h3 (npm) Mar 23, 2026
restriction Credited to restriction
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents Moderate
CVE-2026-33486 was published for roadiz/documents (Composer) Mar 23, 2026
ROCmertakdag Credited to ROCmertakdag and ambroisemaupate ambroisemaupate ambroisemaupate
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions High
CVE-2026-33430 was published for briefcase (pip) Mar 23, 2026
lrandersson Credited to lrandersson
Rails Active Storage has possible glob injection in its DiskService Moderate
CVE-2026-33202 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Storage has possible Path Traversal in DiskService High
CVE-2026-33195 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Support has a possible DoS vulnerability in its number helpers Moderate
CVE-2026-33176 was published for activesupport (RubyGems) Mar 23, 2026
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests Moderate
CVE-2026-33174 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Storage has possible content type bypass via metadata in direct uploads Moderate
CVE-2026-33173 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Support has a possible XSS vulnerability in SafeBuffer#% Moderate
CVE-2026-33170 was published for activesupport (RubyGems) Mar 23, 2026
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited Moderate
CVE-2026-33169 was published for activesupport (RubyGems) Mar 23, 2026
Rails has a possible XSS vulnerability in its Action View tag helpers Low
CVE-2026-33168 was published for actionview (RubyGems) Mar 23, 2026
Rails has a possible XSS vulnerability in its Action Pack debug exceptions Low
CVE-2026-33167 was published for actionpack (RubyGems) Mar 23, 2026
Indico discloses local files resulting in Remote Code Execution through LaTeX injection High
CVE-2026-33046 was published for indico (pip) Mar 23, 2026
dreyercito Credited to dreyercito and daw1012345 daw1012345 daw1012345
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature High
CVE-2026-32299 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin Moderate
CVE-2026-32279 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin High
CVE-2026-32278 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View High
CVE-2026-32277 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin High
CVE-2026-32276 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check Moderate
CVE-2026-30886 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
Mistz1 Credited to Mistz1 and Calcium-Ion Calcium-Ion Calcium-Ion
MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL Critical
CVE-2026-30849 was published for mantisbt/mantisbt (Composer) Mar 23, 2026
JBince Credited to JBince and dregad dregad dregad
Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground Moderate
CVE-2026-27131 was published for putyourlightson/craft-sprig (Composer) Mar 23, 2026
Neosprings Credited to Neosprings
cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads High
CVE-2026-26209 was published for cbor2 (pip) Mar 23, 2026
romanticpragmatism Credited to romanticpragmatism
New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure Moderate
CVE-2026-32879 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
asdf2adsfad Credited to asdf2adsfad and seefs001 seefs001 seefs001
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database