GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
25 advisories
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Moderate
CVE-2026-33916
was published
for
handlebars
(npm)
Mar 26, 2026
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Moderate
CVE-2026-33672
was published
for
picomatch
(npm)
Mar 25, 2026
Picomatch has a ReDoS vulnerability via extglob quantifiers
High
CVE-2026-33671
was published
for
picomatch
(npm)
Mar 25, 2026
music-metadata has an infinite loop vulnerability in ASF parser
High
CVE-2026-32256
was published
for
music-metadata
(npm)
Mar 17, 2026
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox
High
CVE-2026-32640
was published
for
simpleeval
(pip)
Mar 13, 2026
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
Moderate
CVE-2026-32630
was published
for
file-type
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
flatted vulnerable to unbounded recursion DoS in parse() revive phase
High
CVE-2026-32141
was published
for
flatted
(npm)
Mar 13, 2026
liquidjs has a path traversal fallback vulnerability
High
CVE-2026-30952
was published
for
liquidjs
(npm)
Mar 10, 2026
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion
High
CVE-2026-28512
was published
for
github.com/pocket-id/pocket-id/backend
(Go)
Mar 9, 2026
Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer
High
CVE-2026-30242
was published
for
plane
(pip)
Mar 5, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
High
CVE-2026-29074
was published
for
svgo
(npm)
Mar 4, 2026
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
High
CVE-2026-27601
was published
for
underscore
(npm)
Mar 3, 2026
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Moderate
CVE-2026-27839
was published
for
wger
(pip)
Feb 26, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
Low
CVE-2026-27838
was published
for
wger
(pip)
Feb 26, 2026
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Moderate
CVE-2026-27835
was published
for
wger
(pip)
Feb 26, 2026
Parse Dashboard is Missing Authorization for its Agent Endpoint
Critical
CVE-2026-27608
was published
for
parse-dashboard
(npm)
Feb 25, 2026
Parse Dashboard has incomplete authentication on AI Agent endpoint
Critical
CVE-2026-27595
was published
for
parse-dashboard
(npm)
Feb 25, 2026
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Critical
CVE-2026-27626
was published
for
github.com/OliveTin/OliveTin
(Go)
Feb 25, 2026
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Critical
CVE-2026-27614
was published
for
bugsink
(pip)
Feb 25, 2026
Isso affected by Stored XSS via comment website field
Moderate
CVE-2026-27469
was published
for
isso
(pip)
Feb 24, 2026
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE
Critical
CVE-2026-27574
was published
for
@oneuptime/common
(npm)
Feb 24, 2026
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
Critical
GHSA-6qr9-g2xw-cw92
was published
for
github.com/dagu-org/dagu
(Go)
Feb 19, 2026
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
High
CVE-2026-26278
was published
for
fast-xml-parser
(npm)
Feb 17, 2026
ProTip!
Advisories are also available from the
GraphQL API