GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
323 advisories
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Moderate
CVE-2026-50179
was published
for
@actual-app/web
(npm)
Jun 22, 2026
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
High
CVE-2026-54351
was published
for
@budibase/server
(npm)
Jun 22, 2026
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
Moderate
CVE-2026-46700
was published
for
@actual-app/sync-server
(npm)
Jun 22, 2026
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper
Moderate
CVE-2026-46672
was published
for
@actual-app/cli
(npm)
Jun 22, 2026
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
Moderate
CVE-2026-33731
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Moderate
CVE-2026-33684
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Low
GHSA-97pr-9hgg-3p8r
was published
for
parse-server
(npm)
Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Moderate
CVE-2026-55847
was published
for
io.qameta.allure:allure-generator
(Maven)
Jun 19, 2026
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
Moderate
CVE-2026-55846
was published
for
io.qameta.allure:allure-commandline
(Maven)
Jun 19, 2026
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Moderate
CVE-2026-53726
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Moderate
CVE-2026-53725
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Server option routeAllowList is bypassable through batch sub-requests
Moderate
CVE-2026-50008
was published
for
parse-server
(npm)
Jun 19, 2026
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
Low
GHSA-vxr8-fq34-vvx9
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Moderate
GHSA-76mc-f452-cxcm
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
Moderate
CVE-2026-49458
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
Moderate
CVE-2026-49459
was published
for
dompurify
(npm)
Jun 15, 2026
Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Moderate
CVE-2026-49397
was published
for
github.com/nezhahq/nezha
(Go)
Jun 10, 2026
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47419
was published
for
praisonai-platform
(pip)
Jun 5, 2026
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
Moderate
CVE-2026-48013
was published
for
shopware/core
(Composer)
Jun 4, 2026
Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Moderate
CVE-2026-48014
was published
for
shopware/core
(Composer)
Jun 4, 2026
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Moderate
CVE-2026-47674
was published
for
hono
(npm)
Jun 4, 2026
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Moderate
CVE-2026-47675
was published
for
hono
(npm)
Jun 4, 2026
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
High
CVE-2026-47412
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47415
was published
for
praisonai-platform
(pip)
Jun 1, 2026
ProTip!
Advisories are also available from the
GraphQL API