Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,018 advisories

Loading
Statamic is missing authorization check on taxonomy term creation via fieldtype Moderate
CVE-2026-33177 was published for statamic/cms (Composer) Mar 18, 2026
everythingBlackkk Credited to everythingBlackkk
Statamic has a path traversal in file dictionary fieldtype Moderate
CVE-2026-33171 was published for statamic/cms (Composer) Mar 18, 2026
spbavarva Credited to spbavarva
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class Moderate
CVE-2026-1323 was published for cpsit/typo3-mailqueue (Composer) Mar 18, 2026
eliashaeussler Credited to eliashaeussler
Craft CMS Vulnerable to Stored XSS in Revision Context Menu Moderate
CVE-2026-33051 was published for craftcms/cms (Composer) Mar 18, 2026
Neosprings Credited to Neosprings
Unauthenticated Reflected XSS via innerHTML in AVideo Moderate
CVE-2026-33035 was published for wwbn/avideo (Composer) Mar 17, 2026
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php Moderate
CVE-2026-33041 was published for wwbn/avideo (Composer) Mar 17, 2026
offensiveee Credited to offensiveee
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
CVE-2026-32818 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Protection on Role Membership Date Changes Moderate
CVE-2026-32755 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions Moderate
CVE-2026-32816 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Amazon S3 for Craft CMS has an Information Disclosure vulnerability Moderate
CVE-2026-32265 was published for craftcms/aws-s3 (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Craft CMS has a Path Traversal Vulnerability in AssetsController Moderate
CVE-2026-32262 was published for craftcms/cms (Composer) Mar 16, 2026
Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler Moderate
CVE-2026-4175 was published for aureuserp/aureuserp (Composer) Mar 16, 2026
Statamic vulnerable to privilege escalation via stored cross-site scripting Moderate
CVE-2026-32612 was published for statamic/cms (Composer) Mar 13, 2026
Shirshaw64p Credited to Shirshaw64p
Shopware has user enumeration via distinct error codes on Store API login endpoint Moderate
CVE-2026-31888 was published for shopware/core (Composer) Mar 11, 2026
bugbunny-research Credited to bugbunny-research
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Moderate
CVE-2026-31859 was published for craftcms/cms (Composer) Mar 11, 2026
Sylius has a DQL Injection via API Order Filters Moderate
CVE-2026-31825 was published for sylius/sylius (Composer) Mar 11, 2026
Neosprings Credited to Neosprings and bnBart bnBart bnBart
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
Sylius has a XSS vulnerability in checkout login form Moderate
CVE-2026-31822 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
Sylius has an Open Redirect via Referer Header Moderate
CVE-2026-31819 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Craft Commerce has stored XSS in Inventory Location Name Moderate
CVE-2026-29176 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation Moderate
CVE-2026-30964 was published for web-auth/webauthn-framework (Composer) Mar 10, 2026
dorakemon Credited to dorakemon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database