Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

552 advisories

Loading
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion Critical
GHSA-rmpj-3x5m-9m5f was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken() Critical
CVE-2026-32267 was published for craftcms/cms (Composer) Mar 16, 2026
Winter vulnerable to privilege escalation by authenticated backend users Critical
CVE-2026-27591 was published for winter/wn-backend-module (Composer) Mar 12, 2026
skyhex19 Credited to skyhex19
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates Critical
CVE-2026-28697 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php Critical
CVE-2026-29058 was published for wwbn/avideo (Composer) Mar 3, 2026
arkmarta Credited to arkmarta
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php Critical
CVE-2026-27012 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
RunProgram Credited to RunProgram
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection Critical
CVE-2026-26279 was published for froxlor/froxlor (Composer) Mar 3, 2026
Moonster8282 Credited to Moonster8282
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint Critical
CVE-2026-28508 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction Critical
CVE-2026-28502 was published for wwbn/avideo (Composer) Mar 2, 2026
arkmarta Credited to arkmarta
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php Critical
CVE-2026-28501 was published for wwbn/avideo (Composer) Mar 2, 2026
arkmarta Credited to arkmarta
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k Credited to duddnr0615k and DaneEveritt DaneEveritt DaneEveritt
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo Credited to IamLeandrooooo
OpenSTAManager has an OS Command Injection in P7M File Processing Critical
CVE-2025-69212 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak Credited to lukasz-rybak
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons Credited to Far-Horizons
Laravel Redis Horizontal Scaling Insecure Deserialization Critical
CVE-2026-23524 was published for laravel/reverb (Composer) Jan 21, 2026
m0h4mmad Credited to m0h4mmad
Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component Critical
CVE-2025-67165 was published for pagekit/pagekit (Composer) Dec 17, 2025
Pagekit CMS is vulnerable to OS Command Injection via Storage component Critical
CVE-2025-67164 was published for pagekit/pagekit (Composer) Dec 17, 2025
Grav may be vulnerable to SSRF attack via Twig Templates Critical
CVE-2025-66844 was published for getgrav/grav (Composer) Dec 15, 2025
MineAdmin has an insecure default password Critical
CVE-2025-65854 was published for mineadmin/mineadmin (Composer) Dec 12, 2025
Ibexa User Bundle is missing password change validation Critical
CVE-2025-67719 was published for ibexa/user (Composer) Dec 10, 2025
SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475 Critical
GHSA-5j8p-438x-rgg5 was published for onelogin/php-saml (Composer) Dec 9, 2025
d0ge Credited to d0ge
Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”) Critical
CVE-2025-67510 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer Credited to siewer
Mautic user without privileged access to the Marketplace can install and uninstall composer packages Critical
CVE-2025-13828 was published for mautic/core (Composer) Dec 2, 2025
driskell Credited to driskell, escopecz, and patrykgruszka escopecz escopecz
patrykgruszka patrykgruszka
bagisto has CSV Formula Injection in Create New Product Critical
CVE-2025-62417 was published for bagisto/bagisto (Composer) Oct 16, 2025
kiwi865 Credited to kiwi865
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database