Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

109 advisories

Loading
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Ella Core Panics during NAS Authentication Response/Failure with missing IEs Moderate
CVE-2026-33907 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has a Denial of Service via SCTP connection cleanup deadlock Moderate
CVE-2026-33904 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core panics when processing a crafted NGAP LocationReport message Moderate
CVE-2026-33903 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle Moderate
CVE-2026-33763 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings Moderate
CVE-2026-33761 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR Critical
GHSA-2pv8-4c52-mf8j was published for code.vikunja.io/api (Go) Mar 26, 2026
offset Credited to offset
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter High
CVE-2026-33723 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment High
CVE-2026-33719 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php Critical
CVE-2026-33716 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download Moderate
CVE-2026-33679 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API Moderate
CVE-2026-33677 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read Moderate
CVE-2026-33676 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources Moderate
CVE-2026-33675 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database