Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

235 advisories

Loading
A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the... Moderate Unreviewed
CVE-2026-12066 was published Jun 12, 2026
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header... High Unreviewed
CVE-2026-50635 was published Jun 9, 2026
A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to... Low Unreviewed
CVE-2026-10169 was published May 31, 2026
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable... High Unreviewed
CVE-2026-7459 was published May 30, 2026
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of... Low Unreviewed
CVE-2026-9609 was published May 27, 2026
A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue... Moderate Unreviewed
CVE-2026-9466 was published May 26, 2026
phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration High
CVE-2026-35675 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation High
CVE-2026-35676 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
kitu232 Credited to kitu232
An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain... Moderate Unreviewed
CVE-2026-36438 was published May 18, 2026
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525 and VadlaReddySai VadlaReddySai VadlaReddySai
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery... Moderate Unreviewed
CVE-2026-7652 was published May 9, 2026
An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0... Critical Unreviewed
CVE-2026-34408 was published May 5, 2026
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass High
CVE-2026-42606 was published for azuracast/azuracast (Composer) May 4, 2026
offset Credited to offset
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link... High Unreviewed
CVE-2026-29199 was published May 4, 2026
A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some... Low Unreviewed
CVE-2026-7554 was published May 1, 2026
Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An... Moderate Unreviewed
CVE-2025-36579 was published Apr 16, 2026
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated... High Unreviewed
CVE-2026-30459 was published Apr 16, 2026
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery Critical
CVE-2026-34751 was published for @payloadcms/graphql (npm) Apr 1, 2026
wsk3r Credited to wsk3r
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated... Moderate Unreviewed
CVE-2026-4136 was published Mar 20, 2026
Incorrect Access Control via activation token reuse on the password-reset endpoint allowing... Critical Unreviewed
CVE-2025-69614 was published Mar 10, 2026
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links High
CVE-2026-28681 was published for irrd (pip) Mar 4, 2026
BrookeYangRui Credited to BrookeYangRui
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Critical
CVE-2026-28268 was published for code.vikunja.io/api (Go) Feb 28, 2026
VashuVats Credited to VashuVats
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings and everythingBlackkk everythingBlackkk everythingBlackkk
funadmin has Weak Password Recovery Mechanism for Forgotten Password Low
CVE-2026-2895 was published for funadmin/funadmin (Composer) Feb 22, 2026
A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by... Critical Unreviewed
CVE-2026-2564 was published Feb 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database