Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

364 advisories

Loading
ps_checkout allows unauthorized method invocation through unvalidated parameter Low
GHSA-mqq7-wxx5-mp8h was published for prestashop/ps_checkout (Composer) Apr 30, 2026
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send Low
CVE-2026-41663 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment Low
CVE-2026-41659 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Broken Access Control in extension "Redirect Tab" (redirect_tab) Low
CVE-2026-4202 was published for ayacoo/redirect-tab (Composer) Mar 17, 2026
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
Cockpit has NoSQL Injection Through Content Aggregation Pipelines Low
CVE-2026-6626 was published for cockpit-hq/cockpit (Composer) Apr 20, 2026
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler Low
CVE-2026-35537 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler Low
GHSA-3jp4-mhh4-gcgr was published for kimai/kimai (Composer) Apr 14, 2026
morimori-dev Credited to morimori-dev
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments Low
CVE-2026-32270 was published for craftcms/commerce (Composer) Apr 14, 2026
tianluov Credited to tianluov
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
REDAXO has reflected XSS backend packages API via function parameter (CSRF token required) Low
GHSA-xq4j-g85q-wf97 was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required) Low
GHSA-m662-8jrj-cw6v was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php Low
CVE-2026-35448 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state Low
GHSA-f9jp-856v-8642 was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
kostamax27 Credited to kostamax27 and dktapps dktapps dktapps
Drupal Core Cross-Site Scripting (XSS) Vulnerability Low
CVE-2025-31675 was published for drupal/core (Composer) Apr 1, 2025
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments Low
CVE-2026-35538 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Krayin CRM is vulnerable to Cross-site Scripting (XSS) Low
CVE-2026-5370 was published for krayin/laravel-crm (Composer) Apr 2, 2026
Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config Low
GHSA-3h6j-9x8m-rg3g was published for j0k3r/graby (Composer) Mar 31, 2026
tikket1 Credited to tikket1
PrestaShop: Improper Use of Validation Framework Low
CVE-2026-33674 was published for prestashop/prestashop (Composer) Mar 25, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata Low
GHSA-44px-qjjc-xrhq was published for craftcms/cms (Composer) Mar 26, 2026
GCXWLP Credited to GCXWLP
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users Low
CVE-2026-33161 was published for craftcms/cms (Composer) Mar 24, 2026
Susen2 Credited to Susen2
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database