Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,709 advisories

Loading
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save High
CVE-2026-5394 was published for pimcore/pimcore (Composer) May 28, 2026
researchatfluidattacks Credited to researchatfluidattacks
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint High
CVE-2026-45332 was published for automad/automad (Composer) May 27, 2026
lorenzocamilli Credited to lorenzocamilli
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address High
CVE-2026-45067 was published for symfony/mime (Composer) May 27, 2026
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend High
CVE-2026-45368 was published for getkirby/cms (Composer) May 27, 2026
offset Credited to offset
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling High
CVE-2026-45260 was published for pimcore/pimcore (Composer) May 27, 2026
larlarua Credited to larlarua
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator High
CVE-2026-45063 was published for symfony/security-http (Composer) May 27, 2026
Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter High
CVE-2026-44741 was published for pimcore/admin-ui-classic-bundle (Composer) May 27, 2026
tikket1 Credited to tikket1
Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration High
CVE-2026-44739 was published for pimcore/pimcore (Composer) May 27, 2026
msayedZiko Credited to msayedZiko
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup High
CVE-2026-44177 was published for getkirby/cms (Composer) May 26, 2026
offset Credited to offset
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend High
CVE-2026-44175 was published for getkirby/cms (Composer) May 26, 2026
offset Credited to offset
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints High
CVE-2026-44174 was published for getkirby/cms (Composer) May 26, 2026
mojamojam Credited to mojamojam
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation High
CVE-2026-46640 was published for twig/twig (Composer) May 21, 2026
vladko312 Credited to vladko312
Twig: Sandbox property and method bypass via object-destructuring assignment High
CVE-2026-46639 was published for twig/twig (Composer) May 21, 2026
Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>` High
CVE-2026-8417 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS does not validate a CSRF token before processing requests to `/dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>` High
CVE-2026-8426 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS contains a CSRF vulnerability High
CVE-2026-8421 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS has Stored XSS through its height parameter High
CVE-2026-8203 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php High
CVE-2026-8350 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is Vulnerable to Cross-Site Request Forgery High
CVE-2026-8428 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS Vulnerable to Deserialization of Untrusted Data High
CVE-2026-8135 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is Vulnerable to Cross-Site Request Forgery High
CVE-2026-8140 was published for concrete5/concrete5 (Composer) May 21, 2026
Concrete CMS is vulnerable to Stored XSS via OAuth integration name High
CVE-2026-8197 was published for concrete5/concrete5 (Composer) May 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database