Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

418 advisories

Loading
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL Low
CVE-2026-55542 was published for snipe/snipe-it (Composer) Jun 23, 2026
Snipe-IT has Improper Authorization in File Deletion (IDOR) Low
CVE-2026-55519 was published for snipe/snipe-it (Composer) Jun 23, 2026
windbreaker555 Credited to windbreaker555
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing Low
CVE-2026-48488 was published for phpmyfaq/phpmyfaq (Composer) Jun 23, 2026
N0tFix3d Credited to N0tFix3d
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted Low
CVE-2026-49215 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Kocal Credited to Kocal
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding Low
CVE-2026-49212 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Kocal Credited to Kocal
symfony/ux-live-component: Denial of service via unbounded batch action requests Low
CVE-2026-49209 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Low
CVE-2026-47344 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
ohader Credited to ohader
Twig: XSS in profiler HtmlDumper via unescaped template and profile names Low
CVE-2026-47730 was published for twig/twig (Composer) Jun 5, 2026
nicolas-grekas Credited to nicolas-grekas
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form Low
CVE-2026-46644 was published for symfony/polyfill (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS Low
CVE-2026-45756 was published for symfony/json-path (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) Low
CVE-2026-45753 was published for symfony/html-sanitizer (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") Low
CVE-2026-45304 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering Low
CVE-2026-45072 was published for symfony/symfony (Composer) May 27, 2026
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true Low
CVE-2026-45071 was published for symfony/dom-crawler (Composer) May 27, 2026
Pterodactyl has a database resource limit bypass via race condition in Client API Low
CVE-2026-35202 was published for pterodactyl/panel (Composer) May 26, 2026
UDPSendToFailed Credited to UDPSendToFailed
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion() Low
CVE-2026-8435 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() Low
CVE-2026-8434 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete Low
CVE-2026-8409 was published for concrete5/concrete5 (Composer) May 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database