GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
27,724 advisories
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
High
CVE-2026-33744
was published
for
bentoml
(pip)
Mar 26, 2026
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Moderate
CVE-2026-33724
was published
for
n8n
(npm)
Mar 25, 2026
Saloon has a Fixture Name Path Traversal Vulnerability
Moderate
CVE-2026-33183
was published
for
saloonphp/saloon
(Composer)
Mar 25, 2026
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL
Moderate
CVE-2026-33182
was published
for
saloonphp/saloon
(Composer)
Mar 25, 2026
n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
Moderate
CVE-2026-33720
was published
for
n8n
(npm)
Mar 25, 2026
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
High
CVE-2026-33723
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
High
CVE-2026-33719
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
OpenHands is Vulnerable to Command Injection through its Git Diff Handler
High
CVE-2026-33718
was published
for
openhands
(pip)
Mar 25, 2026
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
High
CVE-2026-33717
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Critical
CVE-2026-33716
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
High
CVE-2026-33680
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
Moderate
CVE-2026-33679
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
High
CVE-2026-33678
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Moderate
CVE-2026-33677
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Moderate
CVE-2026-33676
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
Moderate
CVE-2026-33675
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Moderate
CVE-2026-33672
was published
for
picomatch
(npm)
Mar 25, 2026
Picomatch has a ReDoS vulnerability via extglob quantifiers
High
CVE-2026-33671
was published
for
picomatch
(npm)
Mar 25, 2026
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
High
CVE-2026-33665
was published
for
n8n
(npm)
Mar 25, 2026
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
High
CVE-2026-33663
was published
for
n8n
(npm)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API