Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,491 advisories

Loading
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
Saloon has insecure deserialization in AccessTokenAuthenticator High
CVE-2026-33942 was published for saloonphp/saloon (Composer) Mar 27, 2026
JonPurvis Credited to JonPurvis, Sammyjo20, and HuajiHD Sammyjo20 Sammyjo20
HuajiHD HuajiHD
TSPortal: Any user can forge self-deletion requests for any account High
CVE-2026-29788 was published for miraheze/ts-portal (Composer) Mar 27, 2026
pskyechology Credited to pskyechology and Universal-Omega Universal-Omega Universal-Omega
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables High
CVE-2026-33770 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query High
CVE-2026-33767 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write High
GHSA-pr3g-phhr-h8fh was published for librenms/librenms (Composer) Mar 26, 2026
YuriNek0 Credited to YuriNek0
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter High
CVE-2026-33723 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment High
CVE-2026-33719 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-p2gh-cfq4-4wjc was published for google/protobuf (Composer) Mar 25, 2026
34selen Credited to 34selen
MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline High
CVE-2026-33548 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil High
CVE-2026-33686 was published for code16/sharp (Composer) Mar 25, 2026
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules High
CVE-2026-33687 was published for code16/sharp (Composer) Mar 25, 2026
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation High
CVE-2026-33517 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name High
CVE-2026-33681 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables High
CVE-2026-33673 was published for prestashop/prestashop (Composer) Mar 25, 2026
WeChat Pay callback signature verification bypassed when Host header is localhost High
CVE-2026-33661 was published for yansongda/pay (Composer) Mar 25, 2026
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() High
CVE-2026-33651 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion High
CVE-2026-33650 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification High
CVE-2026-33649 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path High
CVE-2026-33648 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload High
CVE-2026-33647 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior High
CVE-2026-33157 was published for craftcms/cms (Composer) Mar 24, 2026
yuma4869 Credited to yuma4869
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API High
CVE-2026-30932 was published for froxlor/froxlor (Composer) Mar 24, 2026
q1uf3ng Credited to q1uf3ng
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database