Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,462 advisories

Loading
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page High
CVE-2026-34375 was published for wwbn/avideo (Composer) Mar 30, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Sulu checks fix permissions for subentities endpoints Moderate
CVE-2026-34372 was published for sulu/sulu (Composer) Mar 30, 2026
sh4dowalker Credited to sh4dowalker
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification Moderate
CVE-2026-34369 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance Moderate
CVE-2026-34368 was published for wwbn/avideo (Composer) Mar 30, 2026
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Moderate
CVE-2026-27599 was published for ci4-cms-erp/ci4ms (Composer) Mar 30, 2026
bugmithlegend Credited to bugmithlegend, peeefour, and LAW6ZX7 peeefour peeefour
LAW6ZX7 LAW6ZX7
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() Moderate
CVE-2026-34362 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground Moderate
CVE-2026-27131 was published for putyourlightson/craft-sprig (Composer) Mar 23, 2026
Neosprings Credited to Neosprings and bencroker bencroker bencroker
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL Moderate
CVE-2026-33182 was published for saloonphp/saloon (Composer) Mar 25, 2026
HuajiHD Credited to HuajiHD, JonPurvis, and Sammyjo20 JonPurvis JonPurvis
Sammyjo20 Sammyjo20
Saloon has a Fixture Name Path Traversal Vulnerability Moderate
CVE-2026-33183 was published for saloonphp/saloon (Composer) Mar 25, 2026
HuajiHD Credited to HuajiHD, JonPurvis, and Sammyjo20 JonPurvis JonPurvis
Sammyjo20 Sammyjo20
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API High
CVE-2026-30932 was published for froxlor/froxlor (Composer) Mar 24, 2026
q1uf3ng Credited to q1uf3ng
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications Moderate
CVE-2026-34247 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking Moderate
CVE-2026-34245 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records High
GHSA-wprj-9cvc-5w37 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted Moderate
CVE-2025-69198 was published for pterodactyl/panel (Composer) Jan 20, 2026
vsevolodmelnyk Credited to vsevolodmelnyk and hymaxo hymaxo hymaxo
Kirby CMS has Persistent DoS via Malformed Image Upload Moderate
CVE-2026-29905 was published for getkirby/cms (Composer) Mar 27, 2026
Stalin-143 Credited to Stalin-143
WeChat Pay callback signature verification bypassed when Host header is localhost High
CVE-2026-33661 was published for yansongda/pay (Composer) Mar 25, 2026
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's Markdown preview endpoint exposes sensitive user data Moderate
CVE-2026-33882 was published for statamic/cms (Composer) Mar 26, 2026
joshuaalwin Credited to joshuaalwin
AVideo has Plaintext Video Password Storage Critical
CVE-2026-33867 was published for wwbn/avideo (Composer) Mar 26, 2026
athuljayaram Credited to athuljayaram
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database