Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
42
Go
3,138
Maven
5,000+
npm
5,000+
NuGet
831
pip
4,438
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

3,001 advisories

Loading
Sylius has a DQL Injection via API Order Filters Moderate
CVE-2026-31825 was published for sylius/sylius (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow
Sylius has a XSS vulnerability in checkout login form Moderate
CVE-2026-31822 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius has an Open Redirect via Referer Header Moderate
CVE-2026-31819 was published for sylius/sylius (Composer) Mar 11, 2026
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Craft Commerce has stored XSS in Inventory Location Name Moderate
CVE-2026-29176 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation Moderate
CVE-2026-30964 was published for web-auth/webauthn-framework (Composer) Mar 10, 2026
dorakemon Credited to dorakemon
flarum/nicknames extension has display name injection in notification emails (autolink & markdown) Moderate
CVE-2026-30913 was published for flarum/nicknames (Composer) Mar 10, 2026
imorland Credited to imorland and DavideIadeluca DavideIadeluca DavideIadeluca
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR) Moderate
GHSA-5q8v-j673-m5v4 was published for grumpydictator/firefly-iii (Composer) Mar 7, 2026
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface Moderate
GHSA-7rhv-h82h-vpjh was published for ec-cube/ec-cube (Composer) Mar 5, 2026
Leantime has HTML injection through firstname and lastname fields Moderate
GHSA-qrfh-cc86-vc8c was published for leantime/leantime (Composer) Mar 5, 2026
PratikKaran23 Credited to PratikKaran23
Kimai's API invoice endpoint missing customer-level access control (IDOR) Moderate
CVE-2026-28685 was published for kimai/kimai (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3242 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3244 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3240 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3241 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2026-28784 was published for craftcms/cms (Composer) Mar 3, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget Moderate
CVE-2026-28695 was published for craftcms/cms (Composer) Mar 3, 2026
andreisss Credited to andreisss
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database