Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,367 advisories

Loading
Livewire Filemanager does not restrict uploaded file types High
CVE-2025-14894 was published for livewire-filemanager/filemanager (Composer) Jan 16, 2026
alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass High
CVE-2026-23622 was published for alextselegidis/easyappointments (Composer) Jan 15, 2026
faroukn
Credited to faroukn
Aimeos contains a SQL injection vulnerability in the json api 'sort' parameter High
CVE-2021-47763 was published for aimeos/aimeos-laravel (Composer) Jan 15, 2026
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log High
CVE-2026-23493 was published for pimcore/pimcore (Composer) Jan 15, 2026
putzflorian
Credited to putzflorian
Pimcore Has an Incomplete Patch for CVE-2023-30848 High
CVE-2026-23492 was published for pimcore/pimcore (Composer) Jan 14, 2026
Snow1nd
Credited to Snow1nd
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2026-23498 was published for shopware/core (Composer) Jan 14, 2026
lukasz-rybak
Credited to lukasz-rybak
TYPO3 CMS Allows Broken Access Control in Recycler Module High
CVE-2025-59022 was published for typo3/cms-recycler (Composer) Jan 13, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read High
CVE-2026-21857 was published for redaxo/source (Composer) Jan 5, 2026
lukasz-rybak
Credited to lukasz-rybak
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2025-68455 was published for craftcms/cms (Composer) Jan 5, 2026
chutchut
Credited to chutchut
Unauthenticated Craft CMS users can trigger a database backup High
CVE-2025-68456 was published for craftcms/cms (Composer) Jan 5, 2026
h4x0r-dz
Credited to h4x0r-dz
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak
Credited to DenizParlak
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto Missing Authentication on Installer API Endpoints High
CVE-2026-21446 was published for bagisto/bagisto (Composer) Jan 2, 2026
mhzcyber
Credited to mhzcyber
FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload High
CVE-2025-69210 was published for facturascripts/facturascripts (Composer) Dec 30, 2025
vettrivel007
Credited to vettrivel007
YOURLS is vulnerable to XSS through JSONP and Callback request parameters High
GHSA-6mp4-q625-mxjp was published for yourls/yourls (Composer) Dec 30, 2025
DenizParlak
Credited to DenizParlak
phpMyFAQ has unauthenticated config backup download via /api/setup/backup High
CVE-2025-69200 was published for thorsten/phpmyfaq (Composer) Dec 30, 2025
eclipse07077-ljw
Credited to eclipse07077-ljw
Croogo CMS has a path traversal vulnerability High
CVE-2024-42718 was published for croogo/croogo (Composer) Dec 26, 2025
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
FoF Pretty Mail has a server-side template injection vulnerability High
CVE-2024-58303 was published for fof/pretty-mail (Composer) Dec 12, 2025
Shopware Storefront Reflected XSS in Storefront Login Page High
CVE-2025-67648 was published for shopware/shopware (Composer) Dec 9, 2025
tbrankaer NielDuysters
Credited to tbrankaer and NielDuysters
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer
Credited to siewer
Filament multi-factor authentication (app) recovery codes can be used multiple times High
CVE-2025-67507 was published for filament/filament (Composer) Dec 9, 2025
JaZo danharrin
Credited to JaZo and danharrin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database