GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,129
Maven
5,000+
npm
5,000+
NuGet
830
pip
4,436
Pub
12
RubyGems
988
Rust
1,172
Swift
50
Unreviewed advisories
All unreviewed
5,000+
5,301 advisories
Filter by severity
Craft Commerce: Potential IDOR in Commerce carts
Moderate
CVE-2026-31867
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Low
CVE-2026-29177
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Inventory Location Name
Moderate
CVE-2026-29176
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
High
CVE-2026-29174
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Low
CVE-2026-29173
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
High
CVE-2026-29172
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft CMS has a potential information disclosure vulnerability in preview tokens
Low
CVE-2026-29113
was published
for
craftcms/cms
(Composer)
Mar 10, 2026
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Moderate
CVE-2026-30964
was published
for
web-auth/webauthn-framework
(Composer)
Mar 10, 2026
flarum/nicknames extension has display name injection in notification emails (autolink & markdown)
Moderate
CVE-2026-30913
was published
for
flarum/nicknames
(Composer)
Mar 10, 2026
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs
High
GHSA-93fx-5qgc-wr38
was published
for
azuracast/azuracast
(Composer)
Mar 9, 2026
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
Moderate
CVE-2026-30927
was published
for
admidio/admidio
(Composer)
Mar 9, 2026
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file
High
CVE-2025-14675
was published
for
wpmetabox/meta-box
(Composer)
Mar 7, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
CVE-2026-30885
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Moderate
GHSA-5q8v-j673-m5v4
was published
for
grumpydictator/firefly-iii
(Composer)
Mar 7, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names
Moderate
CVE-2026-30838
was published
for
league/commonmark
(Composer)
Mar 6, 2026
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
High
CVE-2025-15602
was published
for
snipe/snipe-it
(Composer)
Mar 6, 2026
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Moderate
GHSA-7rhv-h82h-vpjh
was published
for
ec-cube/ec-cube
(Composer)
Mar 5, 2026
Leantime has HTML injection through firstname and lastname fields
Moderate
GHSA-qrfh-cc86-vc8c
was published
for
leantime/leantime
(Composer)
Mar 5, 2026
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
High
CVE-2026-29093
was published
for
wwbn/avideo
(Composer)
Mar 5, 2026
Craft CMS has unauthenticated activation email trigger with potential user enumeration
High
CVE-2026-29069
was published
for
craftcms/cms
(Composer)
Mar 4, 2026
Kimai's API invoice endpoint missing customer-level access control (IDOR)
Moderate
CVE-2026-28685
was published
for
kimai/kimai
(Composer)
Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
Moderate
CVE-2026-3242
was published
for
concrete5/concrete5
(Composer)
Mar 4, 2026
Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)
Low
CVE-2026-2994
was published
for
concrete5/concrete5
(Composer)
Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
Moderate
CVE-2026-3240
was published
for
concrete5/concrete5
(Composer)
Mar 4, 2026
ProTip!
Advisories are also available from the
GraphQL API