GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
10 advisories
Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)
Moderate
CVE-2026-32947
was published
for
step-security/harden-runner
(GitHub Actions)
Mar 17, 2026
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)
Moderate
CVE-2026-32946
was published
for
step-security/harden-runner
(GitHub Actions)
Mar 17, 2026
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Critical
CVE-2026-30863
was published
for
parse-server
(npm)
Mar 9, 2026
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
High
CVE-2026-30229
was published
for
parse-server
(npm)
Mar 6, 2026
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
Moderate
CVE-2026-30228
was published
for
parse-server
(npm)
Mar 6, 2026
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
High
CVE-2026-29182
was published
for
parse-server
(npm)
Mar 5, 2026
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
Moderate
CVE-2026-25598
was published
for
step-security/harden-runner
(GitHub Actions)
Feb 9, 2026
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
Moderate
CVE-2026-24398
was published
for
hono
(npm)
Jan 27, 2026
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
High
CVE-2026-22818
was published
for
hono
(npm)
Jan 13, 2026
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
High
CVE-2026-22817
was published
for
hono
(npm)
Jan 13, 2026
ProTip!
Advisories are also available from the
GraphQL API