Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,567 advisories

Loading
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments High
GHSA-fc86-6rv6-2jpm was published for webonyx/graphql-php (Composer) May 4, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field High
GHSA-q4ph-8x8g-95f8 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass High
CVE-2026-42606 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload High
CVE-2026-42605 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
Kirby CMS's read access to site, user and role information is not gated by permissions High
CVE-2026-42069 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API High
CVE-2026-42137 was published for getkirby/cms (Composer) Apr 30, 2026
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest High
CVE-2026-41670 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests High
CVE-2026-41669 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP High
CVE-2026-41660 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ipl/web is vulnerable to reflected XSS by malformed search requests High
CVE-2026-42224 was published for ipl/web (Composer) Apr 29, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution High
CVE-2026-41587 was published for ci4-cms-erp/ci4ms (Composer) Apr 29, 2026
dapickle Credited to dapickle
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions High
CVE-2026-40902 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader High
CVE-2026-40863 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled High
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection High
CVE-2026-41325 was published for getkirby/cms (Composer) Apr 24, 2026
offset Credited to offset
TYPO3 CMS Stores Cleartext Password in User Settings Module High
CVE-2026-6553 was published for typo3/cms-backend (Composer) Apr 24, 2026
mclewing Credited to mclewing, garvinhicking, and ohader garvinhicking garvinhicking
ohader ohader
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering High
CVE-2026-34587 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution High
CVE-2026-40488 was published for openmage/magento-lts (Composer) Apr 21, 2026
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions High
CVE-2026-31019 was published for dolibarr/dolibarr (Composer) Apr 21, 2026
Dolibarr Allows Code Injection through its Website Module High
CVE-2026-31018 was published for dolibarr/dolibarr (Composer) Apr 21, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
CVE-2026-41143 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
CVE-2026-41570 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database