Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,538 advisories

Loading
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php Moderate
CVE-2026-35452 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php Moderate
CVE-2026-35449 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php Low
CVE-2026-35448 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php Moderate
CVE-2026-35181 was published for wwbn/avideo (Composer) Apr 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php Moderate
CVE-2026-35179 was published for wwbn/avideo (Composer) Apr 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals High
CVE-2026-35470 was published for devcode-it/openstamanager (Composer) Apr 3, 2026
ormzro Credited to ormzro
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message Moderate
CVE-2026-35545 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message Moderate
CVE-2026-35543 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube: Bypass of remote image blocking via crafted BODY background attribute Moderate
CVE-2026-35542 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35544 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler Low
CVE-2026-35537 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode Moderate
CVE-2026-35539 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Incorrect password comparison in the password plugin Moderate
CVE-2026-35541 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments Low
CVE-2026-35538 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34989 was published for ci4-cms-erp/ci4ms (Composer) Apr 3, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
OpenSTAManager: SQL Injection via Aggiornamenti Module High
CVE-2026-35168 was published for devcode-it/openstamanager (Composer) Apr 3, 2026
ormzro Credited to ormzro
Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption High
GHSA-ghc5-95c2-vwcv was published for auth0/symfony (Composer) Apr 3, 2026
Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption High
GHSA-vfpx-q664-h93m was published for auth0/wordpress (Composer) Apr 3, 2026
Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption High
GHSA-fmg6-246m-9g2v was published for auth0/login (Composer) Apr 3, 2026
Krayin CRM is vulnerable to Cross-site Scripting (XSS) Low
CVE-2026-5370 was published for krayin/laravel-crm (Composer) Apr 2, 2026
phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation Moderate
CVE-2026-34974 was published for thorsten/phpmyfaq (Composer) Apr 1, 2026
0xmanhnv Credited to 0xmanhnv
phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure Moderate
CVE-2026-34973 was published for thorsten/phpmyfaq (Composer) Apr 1, 2026
athuljayaram Credited to athuljayaram
AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin Moderate
GHSA-gmpc-fxg2-vcmq was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database