GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
62 advisories
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft
High
GHSA-p64j-f4x9-wq66
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count
Moderate
GHSA-pj6q-4vq4-r8cg
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers
Moderate
GHSA-3v85-fqvh-7rxf
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Ech0 comment model's Email field returned on public /api/comments endpoints
Moderate
GHSA-rj4g-rqgh-rx9h
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
Moderate
CVE-2026-41572
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 25, 2026
Note Mark: OIDC-registered users authenticated by submitting password "null"
Critical
CVE-2026-41571
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 25, 2026
Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users
Moderate
GHSA-qxrw-f6fh-34r7
was published
for
lemmy_api
(Rust)
May 6, 2026
Vikunja has File Size Limit Bypass via Vikunja Import
Moderate
CVE-2026-35602
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Moderate
CVE-2026-35601
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Moderate
CVE-2026-35600
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
Moderate
CVE-2026-35599
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja Missing Authorization on CalDAV Task Read
Moderate
CVE-2026-35598
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
Moderate
CVE-2026-35597
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja vulnerable to Privilege Escalation via Project Reparenting
High
CVE-2026-35595
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Moderate
CVE-2026-35596
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
Moderate
CVE-2026-35452
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Moderate
CVE-2026-35450
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
Moderate
CVE-2026-35449
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Low
CVE-2026-35448
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Moderate
CVE-2026-35181
was published
for
wwbn/avideo
(Composer)
Apr 3, 2026
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Moderate
CVE-2026-35179
was published
for
wwbn/avideo
(Composer)
Apr 3, 2026
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Moderate
CVE-2026-34739
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Moderate
CVE-2026-34738
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
Moderate
CVE-2026-34737
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
Moderate
CVE-2026-34740
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API