GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,910 advisories
MinIO LDAP login brute-force via user enumeration and missing rate limit
Critical
CVE-2026-33419
was published
for
github.com/minio/minio
(Go)
Mar 20, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
avideo/avideo
(Composer)
Mar 20, 2026
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Critical
CVE-2026-33286
was published
for
graphiti
(RubyGems)
Mar 20, 2026
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
Critical
CVE-2026-33352
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
MinIO has JWT Algorithm Confusion in OIDC Authentication
Critical
CVE-2026-33322
was published
for
github.com/minio/minio
(Go)
Mar 19, 2026
Langflow has an Arbitrary File Write (RCE) via v2 API
Critical
CVE-2026-33309
was published
for
langflow
(pip)
Mar 19, 2026
qui CORS Misconfiguration: Arbitrary Origins Trusted
Critical
CVE-2026-30924
was published
for
github.com/autobrr/qui
(Go)
Mar 19, 2026
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Critical
CVE-2026-30836
was published
for
github.com/smallstep/certificates
(Go)
Mar 19, 2026
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Critical
GHSA-wvr4-3wq4-gpc5
was published
for
mcp-bridge
(npm)
Mar 19, 2026
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Critical
CVE-2026-33211
was published
for
github.com/tektoncd/pipeline
(Go)
Mar 18, 2026
gRPC-Go has an authorization bypass via missing leading slash in :path
Critical
CVE-2026-33186
was published
for
google.golang.org/grpc
(Go)
Mar 18, 2026
HAPI FHIR HTTP authentication leak in redirects
Critical
CVE-2026-33180
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
(Maven)
Mar 18, 2026
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
Critical
CVE-2026-33057
was published
for
mesop
(pip)
Mar 18, 2026
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
Critical
CVE-2026-33054
was published
for
mesop
(pip)
Mar 18, 2026
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Critical
CVE-2026-32731
was published
for
@apostrophecms/import-export
(npm)
Mar 18, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
jsPDF has HTML Injection in New Window paths
Critical
CVE-2026-31938
was published
for
jspdf
(npm)
Mar 17, 2026
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)
Critical
CVE-2026-32940
was published
for
github.com/siyuan-note/siyuan
(Go)
Mar 17, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
Critical
CVE-2026-32938
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 17, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API