GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
213 advisories
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator
Moderate
CVE-2026-53723
was published
for
guzzlehttp/guzzle-services
(Composer)
Jun 11, 2026
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
Moderate
CVE-2026-48998
was published
for
guzzlehttp/psr7
(Composer)
Jun 11, 2026
guzzlehttp/psr7 has CRLF Injection via URI Host Component
Moderate
CVE-2026-49214
was published
for
guzzlehttp/psr7
(Composer)
Jun 11, 2026
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
Moderate
CVE-2026-47767
was published
for
symfony/runtime
(Composer)
Jun 9, 2026
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
High
CVE-2026-47732
was published
for
twig/twig
(Composer)
Jun 5, 2026
Yii 2: Local file inclusion via view parameter name collision
High
CVE-2026-39850
was published
for
yiisoft/yii2
(Composer)
May 11, 2026
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism
High
CVE-2026-27891
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override
High
CVE-2026-42845
was published
for
getgrav/grav-plugin-form
(Composer)
May 6, 2026
Grav has Insecure Deserialization in File Cache
Low
CVE-2026-7317
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
Critical
CVE-2026-42613
was published
for
getgrav/grav
(Composer)
May 5, 2026
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Moderate
CVE-2026-41890
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 4, 2026
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest
High
CVE-2026-41670
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Composer has a command injection via malicious perforce repository
High
CVE-2026-40176
was published
for
composer/composer
(Composer)
Apr 14, 2026
Composer has a command injection via malicious perforce reference
High
CVE-2026-40261
was published
for
composer/composer
(Composer)
Apr 14, 2026
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Moderate
CVE-2026-34383
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload
Moderate
CVE-2026-29905
was published
for
getkirby/cms
(Composer)
Mar 27, 2026
•
withdrawn
Statamic's Markdown preview endpoint exposes sensitive user data
Moderate
CVE-2026-33882
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
High
CVE-2026-25892
was published
for
vrana/adminer
(Composer)
Feb 10, 2026
ProTip!
Advisories are also available from the
GraphQL API