Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,774 advisories

Loading
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
GHSA-whqh-9pq5-c7r3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
GHSA-f5p7-2c9q-8896 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags Moderate
GHSA-7cx3-2qx2-3g6w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check Moderate
GHSA-hpgw-ww76-c68r was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
GHSA-9525-27vj-c8r8 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules Critical
CVE-2026-44262 was published for dedoc/scramble (Composer) May 6, 2026
FORIMOC Credited to FORIMOC
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates Moderate
GHSA-vrqv-52x7-rm4v was published for kimai/kimai (Composer) May 6, 2026
fg0x0 Credited to fg0x0
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation Moderate
GHSA-9g2q-w3w2-vf7q was published for kimai/kimai (Composer) May 6, 2026
nullvector1 Credited to nullvector1
phpseclib: guardrails needed on isPrime and randomPrime High
CVE-2024-27354 was published for phpseclib/phpseclib (Composer) May 6, 2026
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure High
CVE-2026-44012 was published for craftcms/cms (Composer) May 6, 2026
offset Credited to offset
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior High
CVE-2026-44011 was published for craftcms/cms (Composer) May 6, 2026
precicom-vincent-tl Credited to precicom-vincent-tl
Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure High
CVE-2026-44010 was published for craftcms/cms (Composer) May 6, 2026
joshuaalwin Credited to joshuaalwin
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization High
CVE-2026-43885 was published for wwbn/avideo (Composer) May 5, 2026
tronglinh23 Credited to tronglinh23
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address Moderate
CVE-2026-43880 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
Grav is Vulnerable to XXE via SVG Upload Moderate
GHSA-3446-6mgw-f79p was published for getgrav/grav (Composer) May 5, 2026
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component High
CVE-2026-42608 was published for getgrav/grav (Composer) May 5, 2026
sentinal404 Credited to sentinal404
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
Grav has Insecure Deserialization in File Cache High
GHSA-gwfr-jfjf-92vv was published for getgrav/grav (Composer) May 5, 2026
devsamuelsantiago Credited to devsamuelsantiago
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database