Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

195 advisories

Loading
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter Moderate
CVE-2026-34383 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor Moderate
CVE-2026-32629 was published for phpmyfaq/phpmyfaq (Composer) Mar 31, 2026
Kirby CMS has Persistent DoS via Malformed Image Upload Moderate
CVE-2026-29905 was published for getkirby/cms (Composer) Mar 27, 2026
Stalin-143 Credited to Stalin-143
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters High
GHSA-27qh-8cxx-2cr5 was published for aws/aws-sdk-php (Composer) Mar 27, 2026
Statamic's Markdown preview endpoint exposes sensitive user data Moderate
CVE-2026-33882 was published for statamic/cms (Composer) Mar 26, 2026
joshuaalwin Credited to joshuaalwin
funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function Low
CVE-2026-2898 was published for funadmin/funadmin (Composer) Feb 22, 2026
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint High
CVE-2026-25892 was published for vrana/adminer (Composer) Feb 10, 2026
JoyGhoshs Credited to JoyGhoshs
FacturaScripts has SQL Injection in Autocomplete Actions High
CVE-2026-25514 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak Credited to lukasz-rybak
FacturaScripts has SQL Injection in API ORDER BY Clause High
CVE-2026-25513 was published for facturascripts/facturascripts (Composer) Feb 3, 2026
lukasz-rybak Credited to lukasz-rybak
FeehiCMS Has a Remote Code Execution via Unrestricted File Upload in Ad Management Moderate
CVE-2025-65657 was published for feehi/cms (Composer) Dec 2, 2025
TinyEnv: Inline comments not stripped properly in .env values Moderate
CVE-2025-58759 was published for datahihi1/tiny-env (Composer) Sep 9, 2025
Magento Community Edition Improper Input Validation vulnerability Critical
CVE-2025-54236 was published for magento/community-edition (Composer) Sep 9, 2025
Magento vulnerable to denial of service High
CVE-2025-49554 was published for magento/community-edition (Composer) Aug 12, 2025
Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page Moderate
CVE-2025-8571 was published for concrete5/concrete5 (Composer) Aug 6, 2025
Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page Low
CVE-2025-8573 was published for concrete5/concrete5 (Composer) Aug 6, 2025
Laravel Rest Api has a Search Validation Bypass Moderate
CVE-2025-48490 was published for lomkit/laravel-rest-api (Composer) May 27, 2025
edepauw Credited to edepauw
Easy!Appointments Denial of Service (DoS) Moderate
CVE-2025-29448 was published for alextselegidis/easyappointments (Composer) May 7, 2025
Shopware allows Denial Of Service via password length High
CVE-2025-30151 was published for shopware/core (Composer) Apr 8, 2025
bsmietana Credited to bsmietana
API Platform Core does not call GraphQl securityAfterResolver Moderate
CVE-2025-23204 was published for api-platform/core (Composer) Mar 24, 2025
soyuka Credited to soyuka, vinceAmstoutz, and ausi vinceAmstoutz vinceAmstoutz
ausi ausi
yiisoft Yii2 Deserialization of Untrusted Data Moderate
CVE-2025-2689 was published for yiisoft/yii2-dev (Composer) Mar 24, 2025
Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality Moderate
CVE-2025-0660 was published for concrete5/concrete5 (Composer) Mar 10, 2025
Volt Allows RCE Via User-Crafted Requests Critical
CVE-2025-27517 was published for livewire/volt (Composer) Mar 5, 2025
angelej Credited to angelej
Browsershot Path Traversal High
CVE-2025-1022 was published for spatie/browsershot (Composer) Feb 5, 2025
Browsershot Local File Inclusion Moderate
CVE-2025-1026 was published for spatie/browsershot (Composer) Feb 5, 2025
Browsershot Improper Input Validation vulnerability Moderate
CVE-2024-21549 was published for spatie/browsershot (Composer) Dec 20, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database