GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
170 advisories
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Moderate
CVE-2026-39390
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Moderate
CVE-2026-39844
was published
for
nicegui
(pip)
Apr 8, 2026
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Low
CVE-2026-34166
was published
for
liquidjs
(npm)
Apr 8, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Moderate
CVE-2026-39367
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Moderate
CVE-2026-39366
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level
Moderate
GHSA-fcmh-qfxc-w685
was published
for
github.com/cloudnativelabs/kube-router/v2
(Go)
Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Moderate
CVE-2026-35592
was published
for
pyload-ng
(pip)
Apr 8, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
Parse Server: File upload Content-Type override via extension mismatch
Low
CVE-2026-35200
was published
for
parse-server
(npm)
Apr 4, 2026
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
High
CVE-2026-35044
was published
for
bentoml
(pip)
Apr 3, 2026
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
Moderate
CVE-2026-34211
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
High
CVE-2026-35037
was published
for
github.com/lin-snow/ech0
(Go)
Apr 3, 2026
Parser Server's streaming file download bypasses afterFind file trigger authorization
High
CVE-2026-34784
was published
for
parse-server
(npm)
Apr 1, 2026
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber
Low
CVE-2026-34762
was published
for
github.com/ellanetworks/core
(Go)
Apr 1, 2026
Ella Core Panics Upon NGAP handover failure
Moderate
CVE-2026-34761
was published
for
github.com/ellanetworks/core
(Go)
Apr 1, 2026
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
High
CVE-2026-34528
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 31, 2026
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Moderate
CVE-2026-34383
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
Admidio has Missing CSRF Protection on Registration Approval Actions
Moderate
CVE-2026-34384
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Moderate
CVE-2026-34369
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Moderate
CVE-2026-34364
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
ProTip!
Advisories are also available from the
GraphQL API