Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,774 advisories

Loading
Silverstripe Assets Module has a DBFile::getURL() permission bypass Moderate
CVE-2026-24749 was published for silverstripe/assets (Composer) Apr 16, 2026
Withdrawn Advisory: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-qjfj-3mm5-vrjg was published for google/protobuf (Composer) Apr 16, 2026 withdrawn
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files Critical
CVE-2026-31843 was published for goodoneuz/pay-uz (Composer) Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution Critical
CVE-2026-41228 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature Moderate
CVE-2026-40500 was published for processwire/processwire (Composer) Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
CVE-2026-41229 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
CVE-2026-41230 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
CVE-2026-41231 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing Moderate
CVE-2026-41232 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() Moderate
CVE-2026-41233 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate Moderate
CVE-2026-40486 was published for kimai/kimai (Composer) Apr 15, 2026
udaypali Credited to udaypali
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
CVE-2026-41130 was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
CVE-2026-41129 was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action Moderate
CVE-2026-41128 was published for craftcms/cms (Composer) Apr 14, 2026
kaminuma Credited to kaminuma
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
CVE-2026-41064 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
CVE-2026-41063 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters Moderate
CVE-2026-41062 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver Moderate
CVE-2026-41061 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL High
CVE-2026-41060 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal Moderate
CVE-2026-41058 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
CVE-2026-41057 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover High
CVE-2026-41056 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF Moderate
CVE-2026-41055 was published for wwbn/avideo (Composer) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database