Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

28 advisories

Loading
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification Moderate
CVE-2026-47212 was published for symfony/symfony (Composer) May 29, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45755 was published for symfony/mailtrap-mailer (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45754 was published for symfony/lox24-notifier (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois, nicolas-grekas, and unknownhad nicolas-grekas nicolas-grekas
unknownhad unknownhad
Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint High
CVE-2026-45332 was published for automad/automad (Composer) May 27, 2026
lorenzocamilli Credited to lorenzocamilli
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
phpVMS has an /importer authorization bypass causing full database wipe Critical
CVE-2026-42569 was published for nabeel/phpvms (Composer) May 4, 2026
peter-bosch Credited to peter-bosch
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints Moderate
CVE-2026-34732 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php High
CVE-2026-34731 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment High
CVE-2026-33719 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations Moderate
CVE-2026-33159 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments High
CVE-2026-33038 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint Moderate
GHSA-5x2w-37xf-7962 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php Critical
CVE-2026-27012 was published for devcode-it/openstamanager (Composer) Mar 3, 2026
RunProgram Credited to RunProgram
FroshAdminer Adminer UI is accessible without admin session Moderate
CVE-2026-25878 was published for frosh/adminer-platform (Composer) Feb 10, 2026
xndrdev Credited to xndrdev and Gugiman Gugiman Gugiman
Bagisto Missing Authentication on Installer API Endpoints High
CVE-2026-21446 was published for bagisto/bagisto (Composer) Jan 2, 2026
mhzcyber Credited to mhzcyber
Mautic has insufficient authentication in upgrade flow Moderate
CVE-2022-25770 was published for mautic/core (Composer) Sep 18, 2024
mollux Credited to mollux, escopecz, patrykgruszka, and RCheesley escopecz escopecz
patrykgruszka patrykgruszka RCheesley RCheesley
Duplicate Advisory: Mautic has insufficient authentication in upgrade flow High
GHSA-5hc5-fxr9-5frc was published for mautic/core (Composer) Sep 19, 2024 withdrawn
TeamPass files are available without authentication High
CVE-2020-12478 was published for nilsteampassnet/teampass (Composer) May 24, 2022
Microweber Discloses Sensitive Information High
CVE-2020-13405 was published for microweber/microweber (Composer) May 24, 2022
Broken Access Control in 3rd party TYPO3 extension "femanager" High
CVE-2023-25013 was published for in2code/femanager (Composer) Feb 2, 2023
ohader Credited to ohader
Broken Access Control in 3rd party TYPO3 extension "femanager" High
CVE-2023-25014 was published for in2code/femanager (Composer) Feb 2, 2023
ohader Credited to ohader
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database