Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

5,975 advisories

Loading
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs High
CVE-2026-47260 was published for phanan/koel (Composer) May 29, 2026
EndlssNightmare Credited to EndlssNightmare
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-11607 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in the Recycler Module Moderate
CVE-2026-47349 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities Moderate
CVE-2026-47347 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS: Destructive Actions on File Mount Folders High
CVE-2026-47343 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Moderate
CVE-2026-47345 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework High
CVE-2026-49741 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its DataHandler Moderate
CVE-2026-47350 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-47346 was published for typo3/cms-core (Composer) Jun 12, 2026
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service Moderate
CVE-2026-45802 was published for setasign/fpdi (Composer) May 19, 2026
esnard Credited to esnard
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator Moderate
CVE-2026-53723 was published for guzzlehttp/guzzle-services (Composer) Jun 11, 2026
GrahamCampbell Credited to GrahamCampbell
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation Moderate
CVE-2026-48998 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
guzzlehttp/psr7 has CRLF Injection via URI Host Component Moderate
CVE-2026-49214 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
TYPO3 CMS has Broken Access Control in its Media Module High
CVE-2026-49742 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Insecure Deserialization via Core API Moderate
CVE-2026-49740 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in Backend API Moderate
CVE-2026-47352 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS: Broken Access Control in Media Module Moderate
CVE-2026-47351 was published for typo3/cms-backend (Composer) Jun 12, 2026
TYPO3 CMS has Cross-Site Scripting in Indexed Search Moderate
CVE-2026-47348 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Low
CVE-2026-47344 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
ohader Credited to ohader
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig) Moderate
GHSA-6jq6-x4cx-qvcm was published for grumpydictator/firefly-iii (Composer) Jun 12, 2026
alanturing881 Credited to alanturing881
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields Moderate
CVE-2026-48067 was published for filament/actions (Composer) Jun 11, 2026
baradika Credited to baradika and danharrin danharrin danharrin
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database