Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,343 advisories

Loading
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy High
CVE-2026-33039 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler Moderate
CVE-2026-4175 was published for aureuserp/aureuserp (Composer) Mar 16, 2026
Unauthenticated Reflected XSS via innerHTML in AVideo Moderate
CVE-2026-33035 was published for wwbn/avideo (Composer) Mar 17, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS High
CVE-2026-33043 was published for wwbn/avideo (Composer) Mar 17, 2026
offensiveee Credited to offensiveee
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php Moderate
CVE-2026-33041 was published for wwbn/avideo (Composer) Mar 17, 2026
offensiveee Credited to offensiveee
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments High
CVE-2026-33038 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() High
CVE-2026-31891 was published for cockpit-hq/cockpit (Composer) Mar 17, 2026
ffasterss Credited to ffasterss
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken() High
CVE-2026-32267 was published for craftcms/cms (Composer) Mar 16, 2026
Shopware: Unauthenticated data extraction possible through store-api.order endpoint High
CVE-2026-31887 was published for shopware/core (Composer) Mar 11, 2026
mromeike Credited to mromeike, ab-pknollmann, and janschoepke ab-pknollmann ab-pknollmann
janschoepke janschoepke
Bagist Cross-site Scripting vulnerability Moderate
CVE-2024-27499 was published for bagisto/bagisto (Composer) Mar 1, 2024
simplesamlphp/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32600 was published for simplesamlphp/xml-security (Composer) Mar 13, 2026
Sideni Credited to Sideni and tvdijen tvdijen tvdijen
xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32313 was published for robrichards/xmlseclibs (Composer) Mar 13, 2026
Sideni Credited to Sideni
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) High
CVE-2026-32813 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController High
CVE-2026-32264 was published for craftcms/cms (Composer) Mar 16, 2026
Craft CMS vulnerable to behavior injection RCE via EntryTypesController High
CVE-2026-32263 was published for craftcms/cms (Composer) Mar 16, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS has a Path Traversal Vulnerability in AssetsController Moderate
CVE-2026-32262 was published for craftcms/cms (Composer) Mar 16, 2026
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin High
CVE-2026-32261 was published for craftcms/webhooks (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
GHSA-g375-5wmp-xr78 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion Critical
GHSA-rmpj-3x5m-9m5f was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Protection on Role Membership Date Changes Moderate
CVE-2026-32755 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions Moderate
GHSA-wwg8-6ffr-h4q2 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
File Upload(RCE) Vulnerability in admidio High
CVE-2026-32756 was published for admidio/admidio (Composer) Mar 16, 2026
arrester Credited to arrester
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability High
CVE-2026-32268 was published for craftcms/azure-blob (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database