Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,551
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,803
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,635 advisories

Loading
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure Moderate
CVE-2026-40098 was published for openmage/magento-lts (Composer) Apr 21, 2026
LoGGGG2402 Credited to LoGGGG2402
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
GHSA-f58v-p6j9-24c2 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
GHSA-qrr6-mg7r-m243 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
GHSA-8q4h-8crm-5cvc was published for studio-42/elfinder (Composer) Apr 17, 2026
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar High
CVE-2026-40308 was published for joedolson/my-calendar (Composer) Apr 16, 2026
minhi1 Credited to minhi1
Statamic: Unsafe method invocation via query value resolution allows data destruction High
GHSA-4jjr-vmv7-wh4w was published for statamic/cms (Composer) Apr 16, 2026
joshuaalwin Credited to joshuaalwin and kodareef5 kodareef5 kodareef5
WWBN AVideo: RCE cause by clonesite plugin High
GHSA-xr6f-h4x7-r6qp was published for wwbn/avideo (Composer) Apr 16, 2026
Rangar0k Credited to Rangar0k
Silverstripe Assets Module has a DBFile::getURL() permission bypass Moderate
CVE-2026-24749 was published for silverstripe/assets (Composer) Apr 16, 2026
Withdrawn Advisory: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-qjfj-3mm5-vrjg was published for google/protobuf (Composer) Apr 16, 2026 withdrawn
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files Critical
CVE-2026-31843 was published for goodoneuz/pay-uz (Composer) Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution Critical
GHSA-w59f-67xm-rxx7 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature Moderate
CVE-2026-40500 was published for processwire/processwire (Composer) Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
GHSA-gc9w-cc93-rjv8 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
GHSA-47hf-23pw-3m8c was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
GHSA-75h4-c557-j89r was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing Moderate
GHSA-vmjj-qr7v-pxm6 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() Moderate
GHSA-jvx4-xv3m-hrj4 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate Moderate
CVE-2026-40486 was published for kimai/kimai (Composer) Apr 15, 2026
udaypali Credited to udaypali
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database