GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,350 advisories
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Moderate
CVE-2026-35181
was published
for
wwbn/avideo
(Composer)
Apr 3, 2026
Hugo: Certain markdown links are not properly escaped
Moderate
CVE-2026-35166
was published
for
github.com/gohugoio/hugo
(Go)
Apr 3, 2026
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Moderate
CVE-2026-35179
was published
for
wwbn/avideo
(Composer)
Apr 3, 2026
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
High
CVE-2026-35044
was published
for
bentoml
(pip)
Apr 3, 2026
BentoML: Command Injection in cloud deployment setup script
High
CVE-2026-35043
was published
for
bentoml
(pip)
Apr 3, 2026
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
Critical
CVE-2026-35030
was published
for
litellm
(pip)
Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Critical
CVE-2026-35471
was published
for
github.com/patrickhener/goshs
(Go)
Apr 3, 2026
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
High
CVE-2026-35470
was published
for
devcode-it/openstamanager
(Composer)
Apr 3, 2026
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
High
CVE-2026-34824
was published
for
mesop
(pip)
Apr 3, 2026
Budibase: Command Injection in Bash Automation Step
High
CVE-2026-25044
was published
for
@budibase/server
(npm)
Apr 3, 2026
Electron: Use-after-free in offscreen shared texture release() callback
Low
CVE-2026-34764
was published
for
electron
(npm)
Apr 3, 2026
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing
Moderate
CVE-2026-34755
was published
for
vllm
(pip)
Apr 3, 2026
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
Moderate
CVE-2026-34753
was published
for
vllm
(pip)
Apr 3, 2026
OpenEXR: integer overflow to OOB write in uncompress_b44_impl()
High
CVE-2026-34544
was published
for
openexr
(pip)
Apr 3, 2026
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler
Moderate
CVE-2026-34217
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
Moderate
CVE-2026-34211
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
SandboxJS: Sandbox integrity escape
Critical
CVE-2026-34208
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Moderate
CVE-2026-34083
was published
for
signalk-server
(npm)
Apr 3, 2026
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)
Moderate
CVE-2026-34052
was published
for
jupyterhub-ltiauthenticator
(pip)
Apr 3, 2026
Signal K Server: Unauthenticated Source Priorities Manipulation
Moderate
CVE-2026-33951
was published
for
signalk-server
(npm)
Apr 3, 2026
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Critical
CVE-2026-33950
was published
for
signalk-server
(npm)
Apr 3, 2026
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)
High
CVE-2026-33752
was published
for
curl_cffi
(pip)
Apr 3, 2026
ProTip!
Advisories are also available from the
GraphQL API