Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,098
Maven
5,000+
npm
4,984
NuGet
826
pip
4,425
Pub
12
RubyGems
988
Rust
1,170
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,414 advisories

Loading
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection High
CVE-2026-3452 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Craft CMS has IDOR via GraphQL @parseRefs High
CVE-2026-28696 was published for craftcms/cms (Composer) Mar 3, 2026
z3rco Credited to z3rco
Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal High
CVE-2026-28507 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
Statamic vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-28426 was published for statamic/cms (Composer) Mar 1, 2026
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs High
CVE-2026-28425 was published for statamic/cms (Composer) Mar 1, 2026
Neosprings Credited to Neosprings
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint High
CVE-2026-27836 was published for thorsten/phpmyfaq (Composer) Feb 27, 2026
offensiveee Credited to offensiveee
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting High
CVE-2026-3105 was published for mautic/core (Composer) Feb 25, 2026
q1uf3ng Credited to q1uf3ng, patrykgruszka, and escopecz patrykgruszka patrykgruszka
escopecz escopecz
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding High
CVE-2026-27127 was published for craftcms/cms (Composer) Feb 23, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Moodle has a Remote Code Execution risk via file restore High
CVE-2026-26045 was published for moodle/moodle (Composer) Feb 21, 2026
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc Credited to TheDeepOpc, jrbasso, and cjsaylor jrbasso jrbasso
cjsaylor cjsaylor
Formwork Improperly Managed Privileges in User creation High
CVE-2026-27198 was published for getformwork/formwork (Composer) Feb 19, 2026
G3XAR Credited to G3XAR
Statamic affected by privilege escalation via stored cross-site scripting High
CVE-2026-27196 was published for statamic/cms (Composer) Feb 19, 2026
genneta Credited to genneta
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php High
CVE-2026-26990 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz Credited to quirmz
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream. High
CVE-2026-26988 was published for librenms/librenms (Composer) Feb 18, 2026
Snow1nd Credited to Snow1nd
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep Credited to KTOymep
MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution High
GHSA-r33w-fg8j-9c94 was published for cesargb/laravel-magiclink (Composer) Feb 12, 2026
Pr4v33N-Sec Credited to Pr4v33N-Sec
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-25759 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings Credited to Neosprings
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint High
CVE-2026-25892 was published for vrana/adminer (Composer) Feb 10, 2026
JoyGhoshs Credited to JoyGhoshs
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2026-25498 was published for craftcms/cms (Composer) Feb 9, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS: GraphQL Asset Mutation Privilege Escalation High
CVE-2026-25497 was published for craftcms/cms (Composer) Feb 9, 2026
vitalysim Credited to vitalysim
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]` High
CVE-2026-25495 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database