GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,027 advisories
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
Moderate
CVE-2026-25494
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
Moderate
CVE-2026-25493
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host
Moderate
CVE-2026-25492
was published
for
craftcms/craft
(Composer)
Feb 9, 2026
Magento's X-Original-Url header can expose admin url
Moderate
CVE-2026-25523
was published
for
openmage/magento-lts
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25522
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Moderate
CVE-2026-25490
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Moderate
CVE-2026-25489
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25488
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Moderate
CVE-2026-25487
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
Moderate
CVE-2026-25486
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25485
was published
for
craftcms/composer
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Product Type Name
Moderate
CVE-2026-25484
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
Moderate
CVE-2026-25483
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Moderate
CVE-2026-25482
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
Moderate
CVE-2026-25509
was published
for
ci4-cms-erp/ci4ms
(Composer)
Feb 2, 2026
FacturaScripts is Vulnerable to Reflected XSS
Moderate
CVE-2026-23476
was published
for
facturascripts/facturascripts
(Composer)
Feb 2, 2026
PsySH has Local Privilege Escalation via CWD .psysh.php auto-load
Moderate
CVE-2026-25129
was published
for
psy/psysh
(Composer)
Jan 30, 2026
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
Moderate
CVE-2026-24739
was published
for
symfony/process
(Composer)
Jan 28, 2026
phpMyFAQ: Public API endpoints expose emails and invisible questions
Moderate
CVE-2026-24422
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jan 23, 2026
ProTip!
Advisories are also available from the
GraphQL API