GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
26,935 advisories
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
Critical
CVE-2026-27825
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
High
CVE-2026-27826
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Critical
CVE-2026-28292
was published
for
simple-git
(npm)
Mar 10, 2026
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
Moderate
CVE-2026-26330
was published
for
github.com/envoyproxy/envoy
(Go)
Mar 10, 2026
Envoy: HTTP - filter chain execution on reset streams causing UAF crash
Moderate
CVE-2026-26311
was published
for
github.com/envoyproxy/envoy
(Go)
Mar 10, 2026
Envoy affected by off-by-one write in JsonEscaper::escapeString()
Moderate
CVE-2026-26309
was published
for
github.com/envoyproxy/envoy
(Go)
Mar 10, 2026
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
High
CVE-2026-26308
was published
for
github.com/envoyproxy/envoy
(Go)
Mar 10, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
Craft Commerce: Potential IDOR in Commerce carts
Moderate
CVE-2026-31867
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Low
CVE-2026-29177
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Inventory Location Name
Moderate
CVE-2026-29176
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
High
CVE-2026-29174
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Low
CVE-2026-29173
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
High
CVE-2026-29172
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft CMS has a potential information disclosure vulnerability in preview tokens
Low
CVE-2026-29113
was published
for
craftcms/cms
(Composer)
Mar 10, 2026
StudioCMS has Privilege Escalation via Insecure API Token Generation
High
CVE-2026-30944
was published
for
studiocms
(npm)
Mar 10, 2026
Envoy vulenrable to crash for scoped ip address during DNS
Moderate
CVE-2026-26310
was published
for
github.com/envoyproxy/envoy
(Go)
Mar 10, 2026
copyparty: volflag `nohtml` did not block javascript in svg files
Moderate
CVE-2026-30974
was published
for
copyparty
(pip)
Mar 10, 2026
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Moderate
CVE-2026-30964
was published
for
web-auth/webauthn-framework
(Composer)
Mar 10, 2026
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface
Critical
CVE-2026-30960
was published
for
rssn
(Rust)
Mar 10, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints
Critical
GHSA-xv8g-fj9h-6gmv
was published
for
github.com/shi-gg/linkdave
(Go)
Mar 10, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
ProTip!
Advisories are also available from the
GraphQL API
