Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,817 advisories

Loading
Magento LTS: Reflected XSS - Import -> Data Flow (profiles) Moderate
CVE-2026-42458 was published for openmage/magento-lts (Composer) May 6, 2026
justlife4x4 Credited to justlife4x4
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` Moderate
CVE-2026-42207 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs Critical
CVE-2026-42155 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf` Moderate
CVE-2026-45619 was published for WWBN/AVideo (Composer) May 15, 2026
SnailSploit Credited to SnailSploit
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute Moderate
CVE-2026-45580 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion High
CVE-2026-46491 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
kamil-sawicki Credited to kamil-sawicki
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class High
CVE-2026-41147 was published for nukeviet/nukeviet (Composer) May 15, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and johnwalker189 johnwalker189 johnwalker189
SimpleSAMLphp casserver: Open Redirect in logout Moderate
CVE-2025-65954 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
pradtke Credited to pradtke
Flight vulnerable to sensitive information disclosure via default error handler High
CVE-2026-42552 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass High
CVE-2026-42551 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete High
CVE-2026-42550 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root Moderate
CVE-2026-42549 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() High
CVE-2026-42548 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Kimai vulnerable to formula Injection via tag names in XLSX export Moderate
CVE-2026-42267 was published for kimai/kimai (Composer) May 5, 2026
satexd Credited to satexd
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration High
CVE-2026-41249 was published for coreshop/core-shop (Composer) May 14, 2026
smiotani-aeyesec Credited to smiotani-aeyesec
Statamic CMS vulnerable to email enumeration via forgot password endpoint Moderate
CVE-2026-44306 was published for statamic/cms (Composer) May 6, 2026
emran-alhaddad Credited to emran-alhaddad
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules Critical
CVE-2026-44262 was published for dedoc/scramble (Composer) May 6, 2026
FORIMOC Credited to FORIMOC
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions High
CVE-2026-40902 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader High
CVE-2026-40863 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
offset Credited to offset
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure High
CVE-2026-44012 was published for craftcms/cms (Composer) May 6, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database