Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,489 advisories

Loading
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization Moderate
CVE-2026-33500 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php Moderate
CVE-2026-33499 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field Moderate
CVE-2026-33683 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Magento LTS vulnerable to stored XSS in admin file form Moderate
GHSA-gp6m-fq6h-cjcx was published for openmage/magento-lts (Composer) Feb 27, 2024
Judx Credited to Judx
Enhavo Cross-site Scripting vulnerability Moderate
CVE-2024-25876 was published for enhavo/enhavo-app (Composer) Feb 22, 2024
Enhavo Cross-site Scripting vulnerability Moderate
CVE-2024-25874 was published for enhavo/enhavo-app (Composer) Feb 22, 2024
baserCMS Cross-site Scripting vulnerability in Content Management Moderate
CVE-2024-26128 was published for baserproject/basercms (Composer) Feb 22, 2024
baserCMS Cross-site Scripting vulnerability in Site search Feature Moderate
CVE-2023-44379 was published for baserproject/basercms (Composer) Feb 22, 2024
league/commonmark contains a XSS vulnerability in Attributes extension Moderate
CVE-2025-46734 was published for league/commonmark (Composer) May 5, 2025
TRIKKSS Credited to TRIKKSS
CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names Moderate
CVE-2026-30838 was published for league/commonmark (Composer) Mar 6, 2026
Craft CMS Vulnerable to Stored XSS in Revision Context Menu Moderate
CVE-2026-33051 was published for craftcms/cms (Composer) Mar 18, 2026
Neosprings Credited to Neosprings
Unauthenticated Reflected XSS via innerHTML in AVideo Moderate
CVE-2026-33035 was published for wwbn/avideo (Composer) Mar 17, 2026
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Cockpit CMS Cross-Site Scripting vulnerability Moderate
CVE-2024-2001 was published for cockpit-hq/cockpit (Composer) Feb 29, 2024
Enhavo Cross-site Scripting vulnerability Moderate
CVE-2024-25875 was published for enhavo/enhavo-app (Composer) Feb 22, 2024
Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler Moderate
CVE-2026-4175 was published for aureuserp/aureuserp (Composer) Mar 16, 2026
Bagist Cross-site Scripting vulnerability Moderate
CVE-2024-27499 was published for bagisto/bagisto (Composer) Mar 1, 2024
Statamic vulnerable to privilege escalation via stored cross-site scripting Moderate
CVE-2026-32612 was published for statamic/cms (Composer) Mar 13, 2026
Shirshaw64p Credited to Shirshaw64p
Kirby vulnerable to unrestricted file upload of user avatar images Moderate
CVE-2024-26483 was published for getkirby/cms (Composer) Feb 26, 2024
PlyNatwara Credited to PlyNatwara
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field Moderate
CVE-2024-26481 was published for getkirby/cms (Composer) Feb 26, 2024
PlyNatwara Credited to PlyNatwara
Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type Moderate
CVE-2024-27087 was published for getkirby/cms (Composer) Feb 26, 2024
PlyNatwara Credited to PlyNatwara
Cross-site scripting (XSS) vulnerability in Grav Moderate
CVE-2023-31506 was published for getgrav/grav (Composer) Feb 9, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database