Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,414
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

8 advisories

Loading
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
lodash vulnerable to Code Injection via `_.template` imports key names High
CVE-2026-4800 was published for lodash (npm) Apr 1, 2026
dolevmiz1 Credited to dolevmiz1, bugbunny-research, M0nd0R, UlisesGascon, falsyvalues, jonchurch, threalwinky, and jdalton bugbunny-research bugbunny-research
M0nd0R M0nd0R UlisesGascon UlisesGascon falsyvalues falsyvalues jonchurch jonchurch threalwinky threalwinky jdalton jdalton
parse-server has GraphQL complexity validator exponential fragment traversal DoS High
CVE-2026-34573 was published for parse-server (npm) Mar 31, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy High
CVE-2026-33039 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments High
CVE-2026-33038 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database