Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,847 advisories

Loading
YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities Moderate
GHSA-5724-x3rh-5qqq was published for yeswiki/yeswiki (Composer) Apr 1, 2026
pizza-power Credited to pizza-power
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" High
CVE-2026-34598 was published for yeswiki/yeswiki (Composer) Apr 1, 2026
kh0kamoni Credited to kh0kamoni
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34557 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34558 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel Moderate
CVE-2026-34396 was published for wwbn/avideo (Composer) Mar 31, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config Low
GHSA-3h6j-9x8m-rg3g was published for j0k3r/graby (Composer) Mar 31, 2026
tikket1 Credited to tikket1
baserCMS is Vulnerable to Cross-site Scripting High
CVE-2026-32734 was published for baserproject/basercms (Composer) Mar 31, 2026
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor Moderate
CVE-2026-32629 was published for phpmyfaq/phpmyfaq (Composer) Mar 31, 2026
baserCMS has a cross-site scripting vulnerability in blog posts Moderate
CVE-2026-30879 was published for baserproject/basercms (Composer) Mar 31, 2026
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page High
CVE-2026-34375 was published for wwbn/avideo (Composer) Mar 30, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Moderate
CVE-2026-27599 was published for ci4-cms-erp/ci4ms (Composer) Mar 30, 2026
bugmithlegend Credited to bugmithlegend, peeefour, and LAW6ZX7 peeefour peeefour
LAW6ZX7 LAW6ZX7
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write High
GHSA-pr3g-phhr-h8fh was published for librenms/librenms (Composer) Mar 26, 2026
YuriNek0 Credited to YuriNek0
MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline High
CVE-2026-33548 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation High
CVE-2026-33517 was published for mantisbt/mantisbt (Composer) Mar 25, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field Moderate
CVE-2026-33683 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables High
CVE-2026-33673 was published for prestashop/prestashop (Composer) Mar 25, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin High
CVE-2026-32278 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View High
CVE-2026-32277 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php High
CVE-2026-33295 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Filament Unvalidated Range and Values summarizer values can be used for XSS High
CVE-2026-33080 was published for filament/tables (Composer) Mar 18, 2026
danharrin Credited to danharrin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database