Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,615 advisories

Loading
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
GHSA-99qv-g4x9-mgc3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
GHSA-pm8c-3qq3-72w7 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
GHSA-9525-27vj-c8r8 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
phpseclib: guardrails needed on isPrime and randomPrime High
CVE-2024-27354 was published for phpseclib/phpseclib (Composer) May 6, 2026
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure High
CVE-2026-44012 was published for craftcms/cms (Composer) May 6, 2026
offset Credited to offset
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior High
CVE-2026-44011 was published for craftcms/cms (Composer) May 6, 2026
precicom-vincent-tl Credited to precicom-vincent-tl
Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure High
CVE-2026-44010 was published for craftcms/cms (Composer) May 6, 2026
joshuaalwin Credited to joshuaalwin
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization High
CVE-2026-43885 was published for wwbn/avideo (Composer) May 5, 2026
tronglinh23 Credited to tronglinh23
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component High
CVE-2026-42608 was published for getgrav/grav (Composer) May 5, 2026
sentinal404 Credited to sentinal404
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes High
CVE-2026-42612 was published for getgrav/grav (Composer) May 5, 2026
KC1zs4 Credited to KC1zs4
Grav API Privilege Escalation to Super Admin High
CVE-2026-42843 was published for getgrav/grav-plugin-api (Composer) May 5, 2026
n0tra4e Credited to n0tra4e
phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID() High
CVE-2026-44167 was published for phpseclib/phpseclib (Composer) May 5, 2026
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass High
CVE-2026-43874 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server High
CVE-2026-43873 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input High
GHSA-r7cg-qjjm-xhqq was published for webonyx/graphql-php (Composer) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments High
GHSA-fc86-6rv6-2jpm was published for webonyx/graphql-php (Composer) May 4, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality High
CVE-2026-38751 was published for devcode-it/openstamanager (Composer) May 4, 2026
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field High
GHSA-q4ph-8x8g-95f8 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass High
CVE-2026-42606 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload High
CVE-2026-42605 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database