Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

1,042 advisories

Loading
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS Moderate
CVE-2026-41201 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
bugmithlegend Credited to bugmithlegend and DexterHK DexterHK DexterHK
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
GHSA-m7r8-6q9j-m2hc was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver Moderate
GHSA-8pv3-29pp-pf8f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
October Rain has Stored XSS via SVG Filter Bypass Moderate
CVE-2026-25133 was published for october/rain (Composer) Apr 14, 2026
daftspunk Credited to daftspunk
October CMS has Stored XSS in Event Log Mail Preview Moderate
CVE-2026-24907 was published for october/system (Composer) Apr 14, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Stored XSS in Backend Editor Markup Classes Moderate
CVE-2026-24906 was published for october/system (Composer) Apr 14, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
LibreNMS affected by an authenticated Cross-site Scripting vulnerability on the showconfig page Moderate
CVE-2026-2728 was published for librenms/librenms (Composer) Apr 13, 2026
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives Moderate
CVE-2026-40301 was published for rhukster/dom-sanitizer (Composer) Apr 10, 2026
morimori-dev Credited to morimori-dev
REDAXO has reflected XSS backend packages API via function parameter (CSRF token required) Low
GHSA-xq4j-g85q-wf97 was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required) Low
GHSA-m662-8jrj-cw6v was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting Moderate
CVE-2026-39390 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
yaffa vulnerable to Cross Site Scripting Moderate
CVE-2025-70844 was published for kantorge/yaffa (Composer) Apr 7, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31313 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter Moderate
CVE-2026-31350 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31351 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module Moderate
CVE-2026-31352 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module Moderate
CVE-2026-31354 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module Moderate
CVE-2026-31353 was published for feehi/cms (Composer) Apr 6, 2026
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS Critical
CVE-2026-35035 was published for ci4-cms-erp/ci4ms (Composer) Apr 6, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
Nodcms contains a cross-site request forgery vulnerability Moderate
CVE-2016-20054 was published for khodakhah/nodcms (Composer) Apr 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database