Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,013
Maven
5,000+
npm
4,737
NuGet
814
pip
4,346
Pub
12
RubyGems
987
Rust
1,139
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,239 advisories

Loading
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause Moderate
CVE-2026-27461 was published for pimcore/pimcore (Composer) Feb 24, 2026
q1uf3ng
Credited to q1uf3ng
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution Moderate
CVE-2026-27129 was published for craftcms/cms (Composer) Feb 24, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit Moderate
CVE-2026-27128 was published for craftcms/cms (Composer) Feb 23, 2026
vitalysim
Credited to vitalysim
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding High
CVE-2026-27127 was published for craftcms/cms (Composer) Feb 23, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS has Stored XSS in Table Field via "HTML" Column Type Moderate
CVE-2026-27126 was published for craftcms/cms (Composer) Feb 23, 2026
mHe4am
Credited to mHe4am
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection Moderate
CVE-2026-27568 was published for wwbn/avideo (Composer) Feb 20, 2026
arkmarta
Credited to arkmarta
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc jrbasso
cjsaylor
Credited to TheDeepOpc, jrbasso, and cjsaylor
Formwork Improperly Managed Privileges in User creation High
CVE-2026-27198 was published for getformwork/formwork (Composer) Feb 19, 2026
G3XAR
Credited to G3XAR
Statamic affected by privilege escalation via stored cross-site scripting High
CVE-2026-27196 was published for statamic/cms (Composer) Feb 19, 2026
genneta
Credited to genneta
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php High
CVE-2026-26990 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz
Credited to quirmz
LibreNMS has a Stored XSS in Alert Rule Moderate
CVE-2026-26989 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz
Credited to quirmz
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream. High
CVE-2026-26988 was published for librenms/librenms (Composer) Feb 18, 2026
Snow1nd
Credited to Snow1nd
LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags() Moderate
CVE-2026-27016 was published for librenms/librenms (Composer) Feb 18, 2026
decsecre583
Credited to decsecre583
LibreNMS /port-groups name Stored Cross-Site Scripting Moderate
CVE-2026-26992 was published for librenms/librenms (Composer) Feb 18, 2026
wsparks-vulncheck awoffsec
Credited to wsparks-vulncheck and awoffsec
LibreNMS /device-groups name Stored Cross-Site Scripting Moderate
CVE-2026-26991 was published for librenms/librenms (Composer) Feb 18, 2026
wsparks-vulncheck awoffsec
Credited to wsparks-vulncheck and awoffsec
LibreNMS affected by reflected xss via email field Moderate
CVE-2026-26987 was published for librenms/librenms (Composer) Feb 18, 2026
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k DaneEveritt
Credited to duddnr0615k and DaneEveritt
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep
Credited to KTOymep
ImapEngine affected by command injection via the ID command parameters Moderate
CVE-2026-2469 was published for directorytree/imapengine (Composer) Feb 14, 2026
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo
Credited to IamLeandrooooo
MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution High
GHSA-r33w-fg8j-9c94 was published for cesargb/laravel-magiclink (Composer) Feb 12, 2026
Prav33N-Sec
Credited to Prav33N-Sec
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-25759 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Phraseanet vulnerable to stored cross-site scripting through crafted file names Moderate
CVE-2018-25157 was published for phraseanet/phraseanet (Composer) Feb 11, 2026
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions Moderate
CVE-2019-25317 was published for kimai/kimai (Composer) Feb 11, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database