Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
42
Go
3,142
Maven
5,000+
npm
5,000+
NuGet
833
pip
4,438
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

27,008 advisories

Loading
Anytype Heart's gRPC API client challenge verification can be bypassed on localhost Low
CVE-2026-31863 was published for github.com/anyproto/anytype-cli (Go) Mar 11, 2026
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page Low
GHSA-g3hp-vvqf-8vw6 was published for craftcms/cms (Composer) Mar 11, 2026
mHe4am Credited to mHe4am
CraftCMS has an RCE vulnerability via relational conditionals in the control panel High
CVE-2026-31857 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
Striae has a hash validation utility vulnerability High
CVE-2026-31839 was published for @striae-org/striae (npm) Mar 11, 2026
StephenJLu Credited to StephenJLu
Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks High
CVE-2026-31834 was published for Umbraco.Cms (NuGet) Mar 11, 2026
odgrso Credited to odgrso
Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering Moderate
CVE-2026-31833 was published for Umbraco.Cms (NuGet) Mar 11, 2026
odgrso Credited to odgrso
Cosmos EVM: incorrect state handling during nested EVM execution paths Critical
GHSA-54gx-3cgr-7mfm was published for github.com/cosmos/evm (Go) Mar 11, 2026
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Moderate
CVE-2026-29777 was published for github.com/traefik/traefik/v3 (Go) Mar 11, 2026
1seal Credited to 1seal
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
Quill has DoS via unbounded read of HTTP response body during notarization Moderate
CVE-2026-31960 was published for github.com/anchore/quill (Go) Mar 11, 2026
Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing Moderate
CVE-2026-31961 was published for github.com/anchore/quill (Go) Mar 11, 2026
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval Moderate
CVE-2026-31959 was published for github.com/anchore/quill (Go) Mar 11, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection Critical
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
Parse Server vulnerable to user enumeration via email verification endpoint Moderate
CVE-2026-31901 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server's MFA recovery codes not consumed after use High
CVE-2026-31875 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via dot-notation in query and sort High
CVE-2026-31872 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL Critical
CVE-2026-31871 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types Moderate
CVE-2026-31868 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
flagd Vulnerable to Allocation of Resources Without Limits or Throttling High
CVE-2026-31866 was published for github.com/open-feature/flagd/flagd (Go) Mar 11, 2026
danipalli Credited to danipalli, marcozabel, and toddbaert marcozabel marcozabel
toddbaert toddbaert
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go Critical
GHSA-j443-wcqq-xprh was published for github.com/arslanbekov/terraform-provider-sendgrid (Go) Mar 11, 2026
aiell0 Credited to aiell0
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) Moderate
GHSA-v8w9-8mx6-g223 was published for hono (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects Moderate
GHSA-vhj5-x93p-67jw was published for actix-web-lab (Rust) Mar 11, 2026
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection High
CVE-2026-31858 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL Critical
CVE-2026-31856 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Low
CVE-2026-31859 was published for craftcms/cms (Composer) Mar 11, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database