GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
182 advisories
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
High
CVE-2026-33483
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
High
CVE-2026-33482
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
Moderate
CVE-2026-33429
was published
for
parse-server
(npm)
Mar 20, 2026
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled
Moderate
GHSA-pgx6-7jcq-2qff
was published
for
@pdfme/common
(npm)
Mar 20, 2026
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel
Moderate
GHSA-xgx4-2wgv-4jhm
was published
for
@pdfme/schemas
(npm)
Mar 20, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
Moderate
GHSA-vrqm-gvq7-rrwh
was published
for
@pdfme/pdf-lib
(npm)
Mar 20, 2026
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
High
CVE-2026-33421
was published
for
parse-server
(npm)
Mar 20, 2026
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
High
CVE-2026-33480
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
High
CVE-2026-33479
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
High
CVE-2026-33418
was published
for
@dicebear/converter
(npm)
Mar 20, 2026
Parse Server has an auth provider validation bypass on login via partial authData
High
CVE-2026-33409
was published
for
parse-server
(npm)
Mar 19, 2026
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
Moderate
CVE-2026-33349
was published
for
fast-xml-parser
(npm)
Mar 19, 2026
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
Moderate
CVE-2026-33311
was published
for
@dicebear/core
(npm)
Mar 19, 2026
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources
Moderate
CVE-2026-33294
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
High
CVE-2026-33293
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
High
CVE-2026-33292
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
Moderate
CVE-2026-33319
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
Moderate
CVE-2026-33238
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
Moderate
CVE-2026-33237
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)
Moderate
GHSA-qvc2-mg72-jjhx
was published
for
justhtml
(pip)
Mar 18, 2026
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass)
Moderate
CVE-2026-33194
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 18, 2026
Parse Server leaks protected fields via LiveQuery afterEvent trigger
High
CVE-2026-33163
was published
for
parse-server
(npm)
Mar 18, 2026
Parse Server session creation endpoint allows overwriting server-generated session fields
Moderate
CVE-2026-32742
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Moderate
CVE-2026-32878
was published
for
parse-server
(npm)
Mar 17, 2026
ProTip!
Advisories are also available from the
GraphQL API