Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,213 advisories

Loading
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint Moderate
CVE-2026-42878 was published for facturascripts/facturascripts (Composer) May 7, 2026
preritpathak Credited to preritpathak
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases Moderate
CVE-2026-42877 was published for facturascripts/facturascripts (Composer) May 7, 2026
ormzro Credited to ormzro
FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download Moderate
CVE-2026-27892 was published for facturascripts/facturascripts (Composer) May 7, 2026
sudo0xksh Credited to sudo0xksh
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root Moderate
CVE-2026-42549 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Magento LTS: Reflected XSS - Import -> Data Flow (profiles) Moderate
CVE-2026-42458 was published for openmage/magento-lts (Composer) May 6, 2026
justlife4x4 Credited to justlife4x4
Statamic CMS vulnerable to email enumeration via forgot password endpoint Moderate
CVE-2026-44306 was published for statamic/cms (Composer) May 6, 2026
emran-alhaddad Credited to emran-alhaddad
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
GHSA-gh9p-q46p-57g2 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ Moderate
GHSA-jrc5-w569-h7h5 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
kitu232 Credited to kitu232
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering Moderate
GHSA-pqh6-8fxf-jx22 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
Doodi101 Credited to Doodi101
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User Moderate
GHSA-rm98-82fr-mcfx was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
GHSA-whqh-9pq5-c7r3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
GHSA-f5p7-2c9q-8896 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags Moderate
GHSA-7cx3-2qx2-3g6w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check Moderate
GHSA-hpgw-ww76-c68r was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates Moderate
GHSA-vrqv-52x7-rm4v was published for kimai/kimai (Composer) May 6, 2026
fg0x0 Credited to fg0x0
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation Moderate
GHSA-9g2q-w3w2-vf7q was published for kimai/kimai (Composer) May 6, 2026
nullvector1 Credited to nullvector1
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address Moderate
CVE-2026-43880 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Grav is Vulnerable to XXE via SVG Upload Moderate
GHSA-3446-6mgw-f79p was published for getgrav/grav (Composer) May 5, 2026
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass Moderate
CVE-2026-42610 was published for getgrav/grav (Composer) May 5, 2026
Samer666569 Credited to Samer666569
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel Moderate
CVE-2026-42842 was published for getgrav/grav (Composer) May 5, 2026
cyabell Credited to cyabell
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database