Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,707 advisories

Loading
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction High
CVE-2026-49287 was published for statamic/cms (Composer) Jun 26, 2026
Eszh Credited to Eszh
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc) High
CVE-2026-49260 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission High
CVE-2026-48505 was published for filament/filament (Composer) Jun 25, 2026
StarPlatinu Credited to StarPlatinu and danharrin danharrin danharrin
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection High
CVE-2026-54329 was published for snipe/snipe-it (Composer) Jun 23, 2026
tahirsercan Credited to tahirsercan
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users High
CVE-2026-48507 was published for snipe/snipe-it (Composer) Jun 23, 2026
louissanchez-vokecyber Credited to louissanchez-vokecyber and whatisproblem whatisproblem whatisproblem
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink High
CVE-2026-55173 was published for wwbn/avideo (Composer) Jun 23, 2026
anir0y Credited to anir0y
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration High
CVE-2026-33692 was published for wwbn/avideo (Composer) Jun 22, 2026
morimori-dev Credited to morimori-dev
symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest High
CVE-2026-55878 was published for symfony/ux-toolkit (Composer) Jun 19, 2026
Kocal Credited to Kocal and Amoifr Amoifr Amoifr
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled High
CVE-2026-55692 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template High
CVE-2026-55691 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text High
CVE-2026-55690 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks High
GHSA-jc38-x7x8-2xc8 was published for web-token/jwt-framework (Composer) Jun 18, 2026
Papadope Credited to Papadope
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service High
GHSA-3prj-6hqw-cm82 was published for web-token/jwt-framework (Composer) Jun 18, 2026
spomky-labs/otphp: Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation High
GHSA-g7m4-839x-ch6v was published for spomky-labs/otphp (Composer) Jun 18, 2026
Kirby: `pages.access` permission is not checked in the `site/find` REST API route High
CVE-2026-54005 was published for getkirby/cms (Composer) Jun 18, 2026
EvidentObscurity Credited to EvidentObscurity
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()` High
CVE-2026-54002 was published for getkirby/cms (Composer) Jun 18, 2026
shafiqaimanx Credited to shafiqaimanx
Kirby: Self cross-site scripting (self-XSS) in the writer field High
CVE-2026-49276 was published for getkirby/cms (Composer) Jun 18, 2026
Cotonti: Stored Cross-Site Scripting in the Personal File Storage (PFS) module High
CVE-2026-55746 was published for cotonti/cotonti (Composer) Jun 18, 2026
Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module High
CVE-2026-55744 was published for cotonti/cotonti (Composer) Jun 18, 2026
Pimcore CMS Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed High
CVE-2026-11407 was published for pimcore/pimcore (Composer) Jun 17, 2026
Filament: Disabled RichEditor field state can be used for XSS High
CVE-2026-55409 was published for filament/forms (Composer) Jun 17, 2026
mike197312 Credited to mike197312 and danharrin danharrin danharrin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database