GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
127 advisories
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
High
CVE-2026-34528
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 31, 2026
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Moderate
CVE-2026-34383
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
Admidio has Missing CSRF Protection on Registration Approval Actions
Moderate
CVE-2026-34384
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Moderate
CVE-2026-34369
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Moderate
CVE-2026-34364
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
Moderate
CVE-2026-34362
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
Critical
CVE-2026-34361
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.validation
(Maven)
Mar 30, 2026
FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing
Moderate
CVE-2026-34360
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.core
(Maven)
Mar 30, 2026
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect
High
CVE-2026-34359
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.core
(Maven)
Mar 30, 2026
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Moderate
CVE-2026-34247
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Moderate
CVE-2026-34245
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
High
GHSA-wprj-9cvc-5w37
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
Parse Server has an MFA single-use token bypass via concurrent authData login requests
Low
CVE-2026-34224
was published
for
parse-server
(npm)
Mar 29, 2026
Parse Server exposes auth data via verify password endpoint
High
CVE-2026-34215
was published
for
parse-server
(npm)
Mar 29, 2026
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Moderate
CVE-2026-33993
was published
for
locutus
(npm)
Mar 27, 2026
Ella Core Panics during NAS Authentication Response/Failure with missing IEs
Moderate
CVE-2026-33907
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
Ella Core has Privilege Escalation via Database Restore by NetworkManager role
High
CVE-2026-33906
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
Ella Core has a Denial of Service via SCTP connection cleanup deadlock
Moderate
CVE-2026-33904
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
Ella Core panics when processing a crafted NGAP LocationReport message
Moderate
CVE-2026-33903
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
Statamic allows unauthorized content access through missing authorization in its revision controllers
Moderate
CVE-2026-33887
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Moderate
CVE-2026-33886
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
Moderate
CVE-2026-33885
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's live preview token bypasses content protection for unrelated entries
Moderate
CVE-2026-33884
was published
for
statamic/cms
(Composer)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API