Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

2,991 advisories

Loading
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
GHSA-6w2r-cfpc-23r5 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR) Moderate
GHSA-5q8v-j673-m5v4 was published for grumpydictator/firefly-iii (Composer) Mar 7, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface Moderate
GHSA-7rhv-h82h-vpjh was published for ec-cube/ec-cube (Composer) Mar 5, 2026
Leantime has HTML injection through firstname and lastname fields Moderate
GHSA-qrfh-cc86-vc8c was published for leantime/leantime (Composer) Mar 5, 2026
PratikKaran23 Credited to PratikKaran23
Kimai's API invoice endpoint missing customer-level access control (IDOR) Moderate
CVE-2026-28685 was published for kimai/kimai (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3242 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3241 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3240 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3244 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2026-28784 was published for craftcms/cms (Composer) Mar 3, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget Moderate
CVE-2026-28695 was published for craftcms/cms (Composer) Mar 3, 2026
andreisss Credited to andreisss
OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter Moderate
CVE-2026-24415 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
lukasz-rybak Credited to lukasz-rybak
Statamic's missing authorization allows access to email addresses Moderate
CVE-2026-28424 was published for statamic/cms (Composer) Mar 1, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide Moderate
CVE-2026-28423 was published for statamic/cms (Composer) Mar 1, 2026
dxlerYT Credited to dxlerYT
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload Moderate
CVE-2026-27621 was published for typicms/core (Composer) Feb 25, 2026
lukasz-rybak Credited to lukasz-rybak
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause Moderate
CVE-2026-27461 was published for pimcore/pimcore (Composer) Feb 24, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution Moderate
CVE-2026-27129 was published for craftcms/cms (Composer) Feb 24, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit Moderate
CVE-2026-27128 was published for craftcms/cms (Composer) Feb 23, 2026
vitalysim Credited to vitalysim
Craft CMS has Stored XSS in Table Field via "HTML" Column Type Moderate
CVE-2026-27126 was published for craftcms/cms (Composer) Feb 23, 2026
mHe4am Credited to mHe4am
funadmin exposes sensitive information via getMember function Moderate
CVE-2026-2894 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin has Incorrect Privilege Assignment in its Configuration Handler Moderate
CVE-2026-2896 was published for funadmin/funadmin (Composer) Feb 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database