Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

61 advisories

Loading
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings Moderate
CVE-2026-33761 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data Moderate
CVE-2026-33685 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions Moderate
CVE-2026-33162 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations Moderate
CVE-2026-33159 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin Moderate
CVE-2026-33501 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
Statamic is missing authorization check on taxonomy term creation via fieldtype Moderate
CVE-2026-33177 was published for statamic/cms (Composer) Mar 18, 2026
everythingBlackkk Credited to everythingBlackkk
Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite Moderate
CVE-2026-1217 was published for yoast/duplicate-post (Composer) Mar 18, 2026
ictbeheer Credited to ictbeheer
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
CVE-2026-32818 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Kimai's API invoice endpoint missing customer-level access control (IDOR) Moderate
CVE-2026-28685 was published for kimai/kimai (Composer) Mar 4, 2026
Statamic's missing authorization allows access to email addresses Moderate
CVE-2026-28424 was published for statamic/cms (Composer) Mar 1, 2026
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings Credited to Neosprings
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) Moderate
CVE-2026-24421 was published for phpmyfaq/phpmyfaq (Composer) Jan 23, 2026
Brahim-Fouad Credited to Brahim-Fouad
TYPO3 CMS Allows Broken Access Control in Redirects Module Moderate
CVE-2025-59021 was published for typo3/cms-redirects (Composer) Jan 13, 2026
Shopware Customer Orders can be canceled, even if refunds are disabled Moderate
GHSA-r2vg-hvjm-fg38 was published for shopware/core (Composer) Oct 21, 2025
aragon999 Credited to aragon999
TYPO3 backend modules have Broken Access Control Moderate
CVE-2025-59017 was published for typo3/cms-backend (Composer) Sep 9, 2025
Drupal Quick Node Block Missing Authorization vulnerability Moderate
CVE-2025-48013 was published for drupal/quick_node_block (Composer) Jun 11, 2025
Drupal Quick Node Block Missing Authorization vulnerability Moderate
CVE-2025-48444 was published for drupal/quick_node_block (Composer) Jun 11, 2025
Mautic segment cloning doesn't have a proper permission check Moderate
CVE-2024-47055 was published for mautic/core (Composer) May 28, 2025
abhisekmazumdar Credited to abhisekmazumdar, patrykgruszka, and nick-vanpraet patrykgruszka patrykgruszka
nick-vanpraet nick-vanpraet
Moodle shows hidden grades to users without permission on some grade reports Moderate
CVE-2025-32045 was published for moodle/moodle (Composer) Apr 25, 2025
Drupal Open Social Missing Authorization vulnerability Moderate
CVE-2025-31685 was published for goalgorilla/open_social (Composer) Apr 1, 2025
Drupal AI Missing Authorization vulnerability Moderate
CVE-2025-31678 was published for drupal/ai (Composer) Apr 1, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database