Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,334
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,540
Pub
12
RubyGems
1,011
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,863 advisories

Loading
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay High
CVE-2026-33946 was published for mcp (RubyGems) Mar 27, 2026
srikanthramu Credited to srikanthramu
Saloon has insecure deserialization in AccessTokenAuthenticator High
CVE-2026-33942 was published for saloonphp/saloon (Composer) Mar 27, 2026
JonPurvis Credited to JonPurvis, Sammyjo20, and HuajiHD Sammyjo20 Sammyjo20
HuajiHD HuajiHD
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options High
CVE-2026-33941 was published for handlebars (npm) Mar 27, 2026
Gyde04 Credited to Gyde04
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial High
CVE-2026-33940 was published for handlebars (npm) Mar 27, 2026
evanj2357 Credited to evanj2357
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation High
CVE-2026-33939 was published for handlebars (npm) Mar 27, 2026
trace37labs Credited to trace37labs
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block High
CVE-2026-33938 was published for handlebars (npm) Mar 27, 2026
evanj2357 Credited to evanj2357
Handlebars.js has JavaScript Injection via AST Type Confusion Critical
CVE-2026-33937 was published for handlebars (npm) Mar 27, 2026
RealHurrison Credited to RealHurrison
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects Moderate
CVE-2026-34043 was published for serialize-javascript (npm) Mar 27, 2026
TomerAberbach Credited to TomerAberbach
Fleet's unbounded request body read allows remote Denial of Service High
CVE-2026-26061 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
MagnusHJensen Credited to MagnusHJensen
Fleet: Password reset tokens remain valid after password change for 24 hours Moderate
CVE-2026-26060 was published for github.com/fleetdm/fleet/v4 (Go) Mar 27, 2026
n8n has XSS in its Credential Management Flow Moderate
GHSA-364x-8g5j-x2pr was published for n8n (npm) Mar 27, 2026
yohannslm Credited to yohannslm
n8n has XSS in Chat Trigger Node through Custom CSS Moderate
GHSA-3c7f-5hgj-h279 was published for n8n (npm) Mar 27, 2026
JorianWoltjer Credited to JorianWoltjer
n8n: Authenticated XSS and Open Redirect via Form Node Moderate
GHSA-w673-8fjw-457c was published for n8n (npm) Mar 27, 2026
tCu0n9 Credited to tCu0n9
n8n has a Stored XSS Vulnerability in its Form Trigger Moderate
GHSA-q4fm-pjq6-m63g was published for n8n (npm) Mar 27, 2026
tr4ce-ju Credited to tr4ce-ju
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php Moderate
CVE-2026-34036 was published for dolibarr/dolibarr (Composer) Mar 27, 2026
cnf409 Credited to cnf409
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration Critical
CVE-2026-33992 was published for pyload-ng (pip) Mar 27, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 Moderate
CVE-2026-33994 was published for locutus (npm) Mar 27, 2026
gtsp233 Credited to gtsp233
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk) High
CVE-2026-33979 was published for express-xss-sanitizer (npm) Mar 27, 2026
Lissy93 Credited to Lissy93
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Moderate
CVE-2026-32695 was published for github.com/traefik/traefik/v2 (Go) Mar 27, 2026
b-hermes Credited to b-hermes
Moby has AuthZ plugin bypass when provided oversized request bodies High
CVE-2026-34040 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland and manizada manizada manizada
Moby has an Off-by-one error in its plugin privilege validation Moderate
CVE-2026-33997 was published for github.com/docker/docker (Go) Mar 27, 2026
vvoland Credited to vvoland
Incus has an abitrary file write through its systemd-creds options Critical
CVE-2026-33945 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stgraber Credited to stgraber, grmpyninja, and stamparm grmpyninja grmpyninja
stamparm stamparm
Local Incus UI web server vulnerable to nuthentication bypass High
CVE-2026-33898 was published for github.com/lxc/incus/v6/cmd/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
Incus vulnerable to arbitrary file read and write through pongo templates Critical
CVE-2026-33897 was published for github.com/lxc/incus (Go) Mar 27, 2026
grmpyninja Credited to grmpyninja and stgraber stgraber stgraber
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database