Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,662
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,877
Pub
13
RubyGems
1,050
Rust
1,313
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,181 advisories

Loading
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` Moderate
CVE-2026-42207 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content Moderate
CVE-2026-43877 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers Moderate
CVE-2026-43876 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover Moderate
CVE-2026-43875 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration Moderate
GHSA-qff7-q5fm-8p76 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption Moderate
GHSA-4fm3-ggg2-c6qx was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess Moderate
CVE-2026-41890 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields Moderate
CVE-2026-42202 was published for almirhodzic/nova-toggle-5 (Composer) Apr 24, 2026
RobertoNegro Credited to RobertoNegro
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users Moderate
CVE-2026-42051 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD and 0x-bala 0x-bala 0x-bala
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions Moderate
CVE-2026-42174 was published for getkirby/cms (Composer) May 4, 2026
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) Moderate
CVE-2026-41887 was published for flarum/core (Composer) Apr 22, 2026
LiamSnow Credited to LiamSnow and imorland imorland imorland
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS Moderate
CVE-2026-41201 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
bugmithlegend Credited to bugmithlegend and DexterHK DexterHK DexterHK
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload Moderate
CVE-2026-29905 was published for getkirby/cms (Composer) Mar 27, 2026 withdrawn
0x5t4l1n Credited to 0x5t4l1n and lukasbestle lukasbestle lukasbestle
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation Moderate
CVE-2026-41671 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Missing Minimum Administrator Check in Role Membership Removal Moderate
CVE-2026-41662 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion Moderate
CVE-2026-41661 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items Moderate
CVE-2026-41658 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php Moderate
CVE-2026-41657 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read Moderate
CVE-2026-41656 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials Moderate
CVE-2026-41655 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
OpenID Connect nonce generated but never validated — ID token replay attack Moderate
CVE-2026-42206 was published for roadiz/openid (Composer) Apr 29, 2026
athuljayaram Credited to athuljayaram
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer Moderate
CVE-2026-40296 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
Keyvanhardani Credited to Keyvanhardani
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database