Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

117 advisories

Loading
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
GHSA-gc9w-cc93-rjv8 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks Critical
GHSA-gph2-j4c9-vhhr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
October Rain has Environment Variable Exfiltration via INI Parser Interpolation Moderate
CVE-2026-25125 was published for october/rain (Composer) Apr 14, 2026
daftspunk Credited to daftspunk
Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin High
CVE-2026-32276 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin High
CVE-2026-33479 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
CraftCMS has an RCE vulnerability via relational conditionals in the control panel High
CVE-2026-31857 was published for craftcms/cms (Composer) Mar 11, 2026
Neosprings Credited to Neosprings
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs High
GHSA-93fx-5qgc-wr38 was published for azuracast/azuracast (Composer) Mar 9, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget Moderate
CVE-2026-28695 was published for craftcms/cms (Composer) Mar 3, 2026
andreisss Credited to andreisss
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs High
CVE-2026-28425 was published for statamic/cms (Composer) Mar 1, 2026
Neosprings Credited to Neosprings and offset offset offset
Moodle has a Remote Code Execution risk via file restore High
CVE-2026-26045 was published for moodle/moodle (Composer) Feb 21, 2026
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor Critical
CVE-2026-25510 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons Credited to Far-Horizons
Moodle affected by a code injection vulnerability High
CVE-2025-67847 was published for moodle/moodle (Composer) Jan 23, 2026
asrar-mared Credited to asrar-mared and Seldaek Seldaek Seldaek
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2026-23498 was published for shopware/core (Composer) Jan 14, 2026
lukasz-rybak Credited to lukasz-rybak and andreisss andreisss andreisss
MineAdmin has an insecure default password Critical
CVE-2025-65854 was published for mineadmin/mineadmin (Composer) Dec 12, 2025
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer Credited to siewer
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass High
CVE-2025-66294 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek Credited to nakkouchtarek
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection) High
CVE-2025-66299 was published for getgrav/grav (Composer) Dec 2, 2025
justwove Credited to justwove
REDAXO CMS is vulnerable to RCE attack through its template management component High
CVE-2025-64050 was published for redaxo/source (Composer) Nov 25, 2025
bagisto has Server Side Template Injection (SSTI) in Product Description Moderate
CVE-2025-62416 was published for bagisto/bagisto (Composer) Oct 16, 2025
kiwi865 Credited to kiwi865
Dolibarr vulnerable to RCE via the computed field parameter High
CVE-2025-56588 was published for dolibarr/dolibarr (Composer) Oct 1, 2025
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability Critical
CVE-2025-52122 was published for solspace/craft-freeform (Composer) Aug 27, 2025
Craft CMS Potential Remote Code Execution via Twig SSTI Moderate
CVE-2025-57811 was published for craftcms/cms (Composer) Aug 25, 2025
singetu0096 Credited to singetu0096
Livewire is vulnerable to remote command execution during component property update hydration Critical
CVE-2025-54068 was published for livewire/livewire (Composer) Jul 17, 2025
remsio-syn Credited to remsio-syn and worty-syn worty-syn worty-syn
Bolt CMS vulnerable to authenticated remote code execution High
CVE-2025-34086 was published for bolt/bolt (Composer) Jul 3, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database