Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

32 advisories

Loading
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter Moderate
CVE-2026-34383 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
Admidio has Missing CSRF Protection on Registration Approval Actions Moderate
CVE-2026-34384 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification Moderate
CVE-2026-34369 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() Moderate
CVE-2026-34362 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications Moderate
CVE-2026-34247 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking Moderate
CVE-2026-34245 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle Moderate
CVE-2026-33763 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings Moderate
CVE-2026-33761 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php Moderate
GHSA-wxjx-r2j2-96fx was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint Moderate
CVE-2026-33688 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data Moderate
CVE-2026-33685 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field Moderate
CVE-2026-33683 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin Moderate
CVE-2026-33501 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources Moderate
CVE-2026-33294 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
CVE-2026-33319 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database