GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
26,868 advisories
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Critical
GHSA-4j36-39gm-8vq8
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
FUXA has a hardcoded fallback JWT signing secret
High
GHSA-c8m8-3jcr-6rj5
was published
for
@frangoteam/fuxa
(npm)
Mar 7, 2026
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Critical
GHSA-h343-gg57-2q67
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
GHSA-6w2r-cfpc-23r5
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage
Critical
GHSA-2h2p-mvfx-868w
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 7, 2026
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
High
GHSA-g9rg-8vq5-mpwm
was published
for
mcp-memory-service
(pip)
Mar 7, 2026
WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation
Critical
CVE-2026-30861
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 7, 2026
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool
Critical
CVE-2026-30860
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora has Broken Access Control - Cross-Tenant Data Exposure
High
CVE-2026-30859
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources
High
CVE-2026-30858
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning
Moderate
CVE-2026-30857
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection
Moderate
CVE-2026-30856
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
WeKnora Vulnerable to Broken Access Control in Tenant Management
Critical
CVE-2026-30855
was published
for
github.com/Tencent/WeKnora
(Go)
Mar 6, 2026
Caddy's vars_regexp double-expands user input, leaking env vars and files
Moderate
CVE-2026-30852
was published
for
github.com/caddyserver/caddy/v2/modules/caddyhttp
(Go)
Mar 6, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
High
CVE-2026-30851
was published
for
github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
(Go)
Mar 6, 2026
parse-server: Malformed `$regex` query leaks database error details in API response
Moderate
CVE-2026-30835
was published
for
parse-server
(npm)
Mar 6, 2026
Flowise Missing Authentication on NVIDIA NIM Endpoints
High
CVE-2026-30824
was published
for
flowise
(npm)
Mar 6, 2026
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
High
CVE-2026-30823
was published
for
flowise
(npm)
Mar 6, 2026
ProTip!
Advisories are also available from the
GraphQL API