GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
42
Go
3,138
Maven
5,000+
npm
5,000+
NuGet
831
pip
4,438
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+
5,310 advisories
Filter by severity
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
High
CVE-2026-31858
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
Low
CVE-2026-31859
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
Sylius has a DQL Injection via API Order Filters
Moderate
CVE-2026-31825
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius has a Promotion Usage Limit Bypass via Race Condition
High
CVE-2026-31824
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius Vulnerable to Authenticated Stored XSS
Moderate
CVE-2026-31823
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius has a XSS vulnerability in checkout login form
Moderate
CVE-2026-31822
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius is Missing Authorization in API v2 Add Item Endpoint
Moderate
CVE-2026-31821
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius affected by IDOR in Cart and Checkout LiveComponents
High
CVE-2026-31820
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius has an Open Redirect via Referer Header
Moderate
CVE-2026-31819
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Craft Commerce: Potential IDOR in Commerce carts
Moderate
CVE-2026-31867
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Low
CVE-2026-29177
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Inventory Location Name
Moderate
CVE-2026-29176
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
High
CVE-2026-29174
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Low
CVE-2026-29173
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
High
CVE-2026-29172
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft CMS has a potential information disclosure vulnerability in preview tokens
Low
CVE-2026-29113
was published
for
craftcms/cms
(Composer)
Mar 10, 2026
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Moderate
CVE-2026-30964
was published
for
web-auth/webauthn-framework
(Composer)
Mar 10, 2026
flarum/nicknames extension has display name injection in notification emails (autolink & markdown)
Moderate
CVE-2026-30913
was published
for
flarum/nicknames
(Composer)
Mar 10, 2026
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs
High
GHSA-93fx-5qgc-wr38
was published
for
azuracast/azuracast
(Composer)
Mar 9, 2026
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
Moderate
CVE-2026-30927
was published
for
admidio/admidio
(Composer)
Mar 9, 2026
Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file
High
CVE-2025-14675
was published
for
wpmetabox/meta-box
(Composer)
Mar 7, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
CVE-2026-30885
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Moderate
GHSA-5q8v-j673-m5v4
was published
for
grumpydictator/firefly-iii
(Composer)
Mar 7, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names
Moderate
CVE-2026-30838
was published
for
league/commonmark
(Composer)
Mar 6, 2026
ProTip!
Advisories are also available from the
GraphQL API