Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,707 advisories

Loading
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction High
CVE-2026-49287 was published for statamic/cms (Composer) Jun 26, 2026
Eszh Credited to Eszh
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc) High
CVE-2026-49260 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission High
CVE-2026-48505 was published for filament/filament (Composer) Jun 25, 2026
StarPlatinu Credited to StarPlatinu and danharrin danharrin danharrin
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php High
CVE-2026-8350 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS has Stored XSS through its height parameter High
CVE-2026-8203 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is Vulnerable to Cross-Site Request Forgery High
CVE-2026-8428 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS contains a CSRF vulnerability High
CVE-2026-8421 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>` High
CVE-2026-8417 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS does not validate a CSRF token before processing requests to `/dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>` High
CVE-2026-8426 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is vulnerable to Stored XSS via OAuth integration name High
CVE-2026-8197 was published for concrete5/concrete5 (Composer) May 21, 2026
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection High
CVE-2026-54329 was published for snipe/snipe-it (Composer) Jun 23, 2026
tahirsercan Credited to tahirsercan
Concrete CMS is Vulnerable to Cross-Site Request Forgery High
CVE-2026-8140 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS Vulnerable to Deserialization of Untrusted Data High
CVE-2026-8135 was published for concrete5/concrete5 (Composer) May 21, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users High
CVE-2026-48507 was published for snipe/snipe-it (Composer) Jun 23, 2026
louissanchez-vokecyber Credited to louissanchez-vokecyber and whatisproblem whatisproblem whatisproblem
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink High
CVE-2026-55173 was published for wwbn/avideo (Composer) Jun 23, 2026
anir0y Credited to anir0y
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration High
CVE-2026-33692 was published for wwbn/avideo (Composer) Jun 22, 2026
morimori-dev Credited to morimori-dev
symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest High
CVE-2026-55878 was published for symfony/ux-toolkit (Composer) Jun 19, 2026
Kocal Credited to Kocal and Amoifr Amoifr Amoifr
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled High
CVE-2026-55692 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template High
CVE-2026-55691 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text High
CVE-2026-55690 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module High
CVE-2026-55744 was published for cotonti/cotonti (Composer) Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database