Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,192 advisories

Loading
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address Moderate
CVE-2026-43880 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Grav is Vulnerable to XXE via SVG Upload Moderate
GHSA-3446-6mgw-f79p was published for getgrav/grav (Composer) May 5, 2026
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass Moderate
CVE-2026-42610 was published for getgrav/grav (Composer) May 5, 2026
Samer666569 Credited to Samer666569
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel Moderate
CVE-2026-42842 was published for getgrav/grav (Composer) May 5, 2026
cyabell Credited to cyabell
Grav CMS vulnerable to stored XSS via Markdown media attribute() action Moderate
CVE-2026-42841 was published for getgrav/grav (Composer) May 5, 2026
K-Czaplicki Credited to K-Czaplicki and morzelowski morzelowski morzelowski
Kimai vulnerable to formula Injection via tag names in XLSX export Moderate
CVE-2026-42267 was published for kimai/kimai (Composer) May 5, 2026
satexd Credited to satexd
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` Moderate
CVE-2026-42207 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content Moderate
CVE-2026-43877 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers Moderate
CVE-2026-43876 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover Moderate
CVE-2026-43875 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration Moderate
GHSA-qff7-q5fm-8p76 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption Moderate
GHSA-4fm3-ggg2-c6qx was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess Moderate
CVE-2026-41890 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users Moderate
CVE-2026-42051 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD and 0x-bala 0x-bala 0x-bala
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions Moderate
CVE-2026-42174 was published for getkirby/cms (Composer) May 4, 2026
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation Moderate
CVE-2026-41671 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Missing Minimum Administrator Check in Role Membership Removal Moderate
CVE-2026-41662 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion Moderate
CVE-2026-41661 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database