Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,670 advisories

Loading
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs High
CVE-2026-47260 was published for phanan/koel (Composer) May 29, 2026
EndlssNightmare Credited to EndlssNightmare
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-11607 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS: Destructive Actions on File Mount Folders High
CVE-2026-47343 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework High
CVE-2026-49741 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-47346 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Media Module High
CVE-2026-49742 was published for typo3/cms-core (Composer) Jun 12, 2026
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Snappy: Binary path is never shell-escaped due to an inverted is_executable check High
CVE-2026-46643 was published for KnpLabs/knp-snappy (Composer) May 21, 2026
SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion High
CVE-2026-46491 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
kamil-sawicki Credited to kamil-sawicki
Froxlor's API Authentication bypasses 2FA Authentication High
CVE-2026-52793 was published for froxlor/froxlor (Composer) Jun 3, 2026
hett-patell Credited to hett-patell and SKaif009 SKaif009 SKaif009
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration High
CVE-2026-41249 was published for coreshop/core-shop (Composer) May 14, 2026
smiotani-aeyesec Credited to smiotani-aeyesec
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Froxlor has an incomplete fix for CVE-2026-30932 High
CVE-2026-41237 was published for froxlor/froxlor (Composer) May 29, 2026
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Froxlor: BIND Zone File Injection via TXT Record Content High
CVE-2026-41234 was published for froxlor/froxlor (Composer) Jun 3, 2026
hett-patell Credited to hett-patell and SKaif009 SKaif009 SKaif009
ipl/web is vulnerable to reflected XSS by malformed search requests High
CVE-2026-42224 was published for ipl/web (Composer) Apr 29, 2026
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
MantisBT Vulnerable to Stored XSS in File Download High
CVE-2026-44657 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has Stored XSS on Move Attachments Admin Page High
CVE-2026-44655 was published for mantisbt/mantisbt (Composer) May 11, 2026
dregad Credited to dregad
MantisBT has a Private Bugnote Attachment Content Leak via REST API High
CVE-2026-42071 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, dregad, and siunam321 TristanInSec TristanInSec
dregad dregad siunam321 siunam321
phpMyFAQ: Default Empty API Token Authentication Bypass High
CVE-2026-35672 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
guayu-kakeru Credited to guayu-kakeru
Duplicate Advisory: phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering High
GHSA-478m-mrw4-qf2w was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
CVE-2026-46359 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Duplicate Advisory: phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
GHSA-p9wc-4pjv-rg82 was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
Duplicate Advisory: phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check High
GHSA-w9mj-gfrm-hj5x was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database