GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
228 advisories
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation
High
CVE-2026-46640
was published
for
twig/twig
(Composer)
May 21, 2026
Formie: Pre-authenticated server-side template injection in Hidden fields
Critical
CVE-2026-45697
was published
for
verbb/formie
(Composer)
May 18, 2026
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
High
CVE-2026-41249
was published
for
coreshop/core-shop
(Composer)
May 14, 2026
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Moderate
CVE-2026-42879
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
Critical
CVE-2026-44262
was published
for
dedoc/scramble
(Composer)
May 6, 2026
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
Critical
CVE-2026-42607
was published
for
getgrav/grav
(Composer)
May 5, 2026
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
High
CVE-2026-43874
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field
High
GHSA-q4ph-8x8g-95f8
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Critical
CVE-2026-41229
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Critical
CVE-2026-40911
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Moderate
CVE-2026-25125
was published
for
october/rain
(Composer)
Apr 14, 2026
Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin
High
CVE-2026-32276
was published
for
opensource-workshop/connect-cms
(Composer)
Mar 23, 2026
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
High
CVE-2026-33479
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
CraftCMS has an RCE vulnerability via relational conditionals in the control panel
High
CVE-2026-31857
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs
High
GHSA-93fx-5qgc-wr38
was published
for
azuracast/azuracast
(Composer)
Mar 9, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Moderate
CVE-2026-28695
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs
High
CVE-2026-28425
was published
for
statamic/cms
(Composer)
Mar 1, 2026
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
Critical
CVE-2026-25510
was published
for
ci4-cms-erp/ci4ms
(Composer)
Feb 2, 2026
Moodle affected by a code injection vulnerability
High
CVE-2025-67847
was published
for
moodle/moodle
(Composer)
Jan 23, 2026
ProTip!
Advisories are also available from the
GraphQL API