Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,692 advisories

Loading
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field Moderate
CVE-2026-32699 was published for facturascripts/facturascripts (Composer) Apr 28, 2026
TurkiOS Credited to TurkiOS
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer Moderate
CVE-2026-35453 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
marduc812 Credited to marduc812
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer Moderate
CVE-2026-40296 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
Keyvanhardani Credited to Keyvanhardani
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled High
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader High
CVE-2026-40863 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions High
CVE-2026-40902 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions High
CVE-2026-31019 was published for dolibarr/dolibarr (Composer) Apr 21, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution High
CVE-2026-41587 was published for ci4-cms-erp/ci4ms (Composer) Apr 29, 2026
dapickle Credited to dapickle
OpenID Connect nonce generated but never validated — ID token replay attack Moderate
CVE-2026-42206 was published for roadiz/openid (Composer) Apr 29, 2026
athuljayaram Credited to athuljayaram
ipl/web is vulnerable to reflected XSS by malformed search requests High
CVE-2026-42224 was published for ipl/web (Composer) Apr 29, 2026
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials Moderate
CVE-2026-41655 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read Moderate
CVE-2026-41656 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php Moderate
CVE-2026-41657 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items Moderate
CVE-2026-41658 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment Low
CVE-2026-41659 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP High
CVE-2026-41660 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion Moderate
CVE-2026-41661 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Missing Minimum Administrator Check in Role Membership Removal Moderate
CVE-2026-41662 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send Low
CVE-2026-41663 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests High
CVE-2026-41669 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest High
CVE-2026-41670 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation Moderate
CVE-2026-41671 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload Moderate
CVE-2026-29905 was published for getkirby/cms (Composer) Mar 27, 2026 withdrawn
0x5t4l1n Credited to 0x5t4l1n and lukasbestle lukasbestle lukasbestle
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS Critical
CVE-2026-35035 was published for ci4-cms-erp/ci4ms (Composer) Apr 6, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS Moderate
CVE-2026-41201 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
bugmithlegend Credited to bugmithlegend and DexterHK DexterHK DexterHK
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database