GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,444 advisories
SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering
High
CVE-2026-33204
was published
for
kelvinmo/simplejwt
(Composer)
Mar 18, 2026
Filament Unvalidated Range and Values summarizer values can be used for XSS
High
CVE-2026-33080
was published
for
filament/tables
(Composer)
Mar 18, 2026
Statamic has Stored XSS via SVG Sanitization Bypass
High
CVE-2026-33172
was published
for
statamic/cms
(Composer)
Mar 18, 2026
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
High
CVE-2026-33039
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
High
CVE-2026-33043
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
High
CVE-2026-33038
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
High
CVE-2026-31891
was published
for
cockpit-hq/cockpit
(Composer)
Mar 17, 2026
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
High
CVE-2026-32813
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
File Upload(RCE) Vulnerability in admidio
High
CVE-2026-32756
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
High
CVE-2026-32268
was published
for
craftcms/azure-blob
(Composer)
Mar 16, 2026
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
High
CVE-2026-32263
was published
for
craftcms/cms
(Composer)
Mar 16, 2026
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
High
CVE-2026-32261
was published
for
craftcms/webhooks
(Composer)
Mar 16, 2026
simplesamlphp/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption
High
CVE-2026-32600
was published
for
simplesamlphp/xml-security
(Composer)
Mar 13, 2026
xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption
High
CVE-2026-32313
was published
for
robrichards/xmlseclibs
(Composer)
Mar 13, 2026
Shopware: Unauthenticated data extraction possible through store-api.order endpoint
High
CVE-2026-31887
was published
for
shopware/core
(Composer)
Mar 11, 2026
CraftCMS has an RCE vulnerability via relational conditionals in the control panel
High
CVE-2026-31857
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
High
CVE-2026-31858
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
Sylius has a Promotion Usage Limit Bypass via Race Condition
High
CVE-2026-31824
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Sylius affected by IDOR in Cart and Checkout LiveComponents
High
CVE-2026-31820
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
ProTip!
Advisories are also available from the
GraphQL API