Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

180 advisories

Loading
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users High
CVE-2026-48507 was published for snipe/snipe-it (Composer) Jun 23, 2026
louissanchez-vokecyber Credited to louissanchez-vokecyber and whatisproblem whatisproblem whatisproblem
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment Moderate
CVE-2026-48493 was published for snipe/snipe-it (Composer) Jun 23, 2026
tienneR Credited to tienneR and iltosec iltosec iltosec
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes High
CVE-2026-48489 was published for symfony/security-http (Composer) Jun 15, 2026
a-tt-om Credited to a-tt-om, teebow1e, and nicolas-grekas teebow1e teebow1e
nicolas-grekas nicolas-grekas
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` Moderate
CVE-2026-47227 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php High
CVE-2026-8350 was published for concrete5/concrete5 (Composer) May 21, 2026
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
Duplicate Advisory: phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check High
GHSA-w9mj-gfrm-hj5x was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
Duplicate Advisory: phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
GHSA-cqrw-j4qc-7f9w was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
Duplicate Advisory: phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check Moderate
GHSA-9r8r-x3vg-6xh4 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026 withdrawn
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API Moderate
CVE-2026-42070 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, and dregad TristanInSec TristanInSec
dregad dregad
Snipe-IT has Privilege Escalation via API Permissions Assignment High
CVE-2026-44832 was published for snipe/snipe-it (Composer) May 8, 2026
lorenzofradeani Credited to lorenzofradeani and 0xrdi 0xrdi 0xrdi
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
CVE-2026-46366 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ Moderate
CVE-2026-45009 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
kitu232 Credited to kitu232
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check Moderate
CVE-2026-46362 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation Moderate
GHSA-9g2q-w3w2-vf7q was published for kimai/kimai (Composer) May 6, 2026
nullvector1 Credited to nullvector1
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass Moderate
CVE-2026-42610 was published for getgrav/grav (Composer) May 5, 2026
Samer666569 Credited to Samer666569
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database