Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
42
Go
3,138
Maven
5,000+
npm
5,000+
NuGet
831
pip
4,438
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,310 advisories

Loading
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection High
CVE-2026-31858 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Low
CVE-2026-31859 was published for craftcms/cms (Composer) Mar 11, 2026
Sylius has a DQL Injection via API Order Filters Moderate
CVE-2026-31825 was published for sylius/sylius (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
Sylius has a Promotion Usage Limit Bypass via Race Condition High
CVE-2026-31824 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow
Sylius has a XSS vulnerability in checkout login form Moderate
CVE-2026-31822 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
Sylius has an Open Redirect via Referer Header Moderate
CVE-2026-31819 was published for sylius/sylius (Composer) Mar 11, 2026
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout Low
CVE-2026-29177 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce has stored XSS in Inventory Location Name Moderate
CVE-2026-29176 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking High
CVE-2026-29175 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting High
CVE-2026-29174 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table Low
CVE-2026-29173 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting High
CVE-2026-29172 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft CMS has a potential information disclosure vulnerability in preview tokens Low
CVE-2026-29113 was published for craftcms/cms (Composer) Mar 10, 2026
singetu0096 Credited to singetu0096
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation Moderate
CVE-2026-30964 was published for web-auth/webauthn-framework (Composer) Mar 10, 2026
dorakemon Credited to dorakemon
flarum/nicknames extension has display name injection in notification emails (autolink & markdown) Moderate
CVE-2026-30913 was published for flarum/nicknames (Composer) Mar 10, 2026
imorland Credited to imorland and DavideIadeluca DavideIadeluca DavideIadeluca
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs High
GHSA-93fx-5qgc-wr38 was published for azuracast/azuracast (Composer) Mar 9, 2026
q1uf3ng Credited to q1uf3ng
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file High
CVE-2025-14675 was published for wpmetabox/meta-box (Composer) Mar 7, 2026
ictbeheer Credited to ictbeheer
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR) Moderate
GHSA-5q8v-j673-m5v4 was published for grumpydictator/firefly-iii (Composer) Mar 7, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database