GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
17 advisories
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated)
High
CVE-2026-34605
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Apr 1, 2026
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
High
CVE-2026-34593
was published
for
ash
(Erlang)
Apr 1, 2026
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
Moderate
CVE-2026-33297
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
Low
CVE-2026-33296
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
High
CVE-2026-33295
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint
Moderate
GHSA-5x2w-37xf-7962
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
Moderate
CVE-2026-32759
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
Moderate
CVE-2026-32750
was published
for
github.com/siyuan-note/siyuan
(Go)
Mar 16, 2026
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write
High
CVE-2026-32749
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
Moderate
CVE-2026-32747
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist
Moderate
GHSA-r48f-3986-4f9c
was published
for
fickling
(pip)
Mar 13, 2026
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB
Moderate
CVE-2026-32704
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 13, 2026
Black: Arbitrary file writes from unsanitized user input in cache file name
High
CVE-2026-32274
was published
for
black
(pip)
Mar 12, 2026
OliveTin's email argument makes compliance harder, enables log injection
Moderate
GHSA-xx6g-43w2-9g6g
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 12, 2026
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
Critical
CVE-2026-29188
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 4, 2026
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
High
CVE-2026-28342
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API