GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
62 advisories
Filter by severity
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
Moderate
CVE-2026-55482
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Moderate
CVE-2026-48067
was published
for
filament/actions
(Composer)
Jun 11, 2026
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Moderate
CVE-2026-47230
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
Moderate
CVE-2026-47227
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block
Moderate
CVE-2026-7881
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog
Moderate
CVE-2026-8204
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups
Moderate
CVE-2026-46721
was published
for
evoweb/sf-register
(Composer)
May 19, 2026
MantisBT Has Authorization Bypass in Global Profile Creation
Moderate
CVE-2026-33052
was published
for
mantisbt/mantisbt
(Composer)
May 11, 2026
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Moderate
CVE-2026-43883
was published
for
wwbn/avideo
(Composer)
May 5, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Moderate
CVE-2026-40907
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Moderate
CVE-2026-33764
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Moderate
CVE-2026-33158
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
Moderate
CVE-2026-33297
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Craft Commerce: Potential IDOR in Commerce carts
Moderate
CVE-2026-31867
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
Moderate
CVE-2026-30927
was published
for
admidio/admidio
(Composer)
Mar 9, 2026
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
Moderate
CVE-2026-28782
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Moderate
CVE-2026-28781
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
Moderate
CVE-2025-66306
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Powermail extension for TYPO3 allows Insecure Direct Object Reference
Moderate
CVE-2025-7899
was published
for
in2code/powermail
(Composer)
Jul 22, 2025
Femanager extension for TYPO3 allows Insecure Direct Object Reference
Moderate
CVE-2025-7900
was published
for
in2code/femanager
(Composer)
Jul 22, 2025
reint_downloadmanager TYPO3 Extension is susceptible to Insecure Direct Object Reference
Moderate
CVE-2025-48207
was published
for
renolit/reint-downloadmanager
(Composer)
May 21, 2025
The femanager TYPO3 extension allows Insecure Direct Object Reference
Moderate
CVE-2025-48202
was published
for
in2code/femanager
(Composer)
May 21, 2025
Grokability Snipe-IT has incorrect authorization for accessing asset information
Moderate
CVE-2025-47226
was published
for
snipe/snipe-it
(Composer)
May 2, 2025
ProTip!
Advisories are also available from the
GraphQL API