Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,494 advisories

Loading
YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities Moderate
GHSA-5724-x3rh-5qqq was published for yeswiki/yeswiki (Composer) Apr 1, 2026
pizza-power Credited to pizza-power
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel Moderate
CVE-2026-34396 was published for wwbn/avideo (Composer) Mar 31, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor Moderate
CVE-2026-32629 was published for phpmyfaq/phpmyfaq (Composer) Mar 31, 2026
baserCMS has a cross-site scripting vulnerability in blog posts Moderate
CVE-2026-30879 was published for baserproject/basercms (Composer) Mar 31, 2026
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Moderate
CVE-2026-27599 was published for ci4-cms-erp/ci4ms (Composer) Mar 30, 2026
bugmithlegend Credited to bugmithlegend, peeefour, and LAW6ZX7 peeefour peeefour
LAW6ZX7 LAW6ZX7
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field Moderate
CVE-2026-33683 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
Craft CMS Vulnerable to Stored XSS in Revision Context Menu Moderate
CVE-2026-33051 was published for craftcms/cms (Composer) Mar 18, 2026
Neosprings Credited to Neosprings
Unauthenticated Reflected XSS via innerHTML in AVideo Moderate
CVE-2026-33035 was published for wwbn/avideo (Composer) Mar 17, 2026
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler Moderate
CVE-2026-4175 was published for aureuserp/aureuserp (Composer) Mar 16, 2026
Statamic vulnerable to privilege escalation via stored cross-site scripting Moderate
CVE-2026-32612 was published for statamic/cms (Composer) Mar 13, 2026
Shirshaw64p Credited to Shirshaw64p
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Moderate
CVE-2026-31859 was published for craftcms/cms (Composer) Mar 11, 2026
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
Sylius has a XSS vulnerability in checkout login form Moderate
CVE-2026-31822 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Craft Commerce has stored XSS in Inventory Location Name Moderate
CVE-2026-29176 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
flarum/nicknames extension has display name injection in notification emails (autolink & markdown) Moderate
CVE-2026-30913 was published for flarum/nicknames (Composer) Mar 10, 2026
imorland Credited to imorland and DavideIadeluca DavideIadeluca DavideIadeluca
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
Leantime has HTML injection through firstname and lastname fields Moderate
GHSA-qrfh-cc86-vc8c was published for leantime/leantime (Composer) Mar 5, 2026
PratikKaran23 Credited to PratikKaran23
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3242 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3240 was published for concrete5/concrete5 (Composer) Mar 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database