Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,670 advisories

Loading
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-11607 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS: Destructive Actions on File Mount Folders High
CVE-2026-47343 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework High
CVE-2026-49741 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Form Framework High
CVE-2026-47346 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 CMS has Broken Access Control in its Media Module High
CVE-2026-49742 was published for typo3/cms-core (Composer) Jun 12, 2026
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points High
CVE-2026-47732 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot
Twig: Possible sandbox bypass when using a source policy High
CVE-2026-24425 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot, wsparks-vc, XavLimSG, and Vincent550102 wsparks-vc wsparks-vc
XavLimSG XavLimSG Vincent550102 Vincent550102
Shopper: Multiple data integrity and disclosure issues in admin Livewire components High
CVE-2026-47743 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) High
CVE-2026-49279 was published for wwbn/avideo (Composer) Jun 4, 2026
oduoke567 Credited to oduoke567
WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint High
CVE-2026-47696 was published for WWBN/AVideo (Composer) Jun 4, 2026
proochicken Credited to proochicken
Froxlor's API Authentication bypasses 2FA Authentication High
CVE-2026-52793 was published for froxlor/froxlor (Composer) Jun 3, 2026
hett-patell Credited to hett-patell and SKaif009 SKaif009 SKaif009
Froxlor: BIND Zone File Injection via TXT Record Content High
CVE-2026-41234 was published for froxlor/froxlor (Composer) Jun 3, 2026
hett-patell Credited to hett-patell and SKaif009 SKaif009 SKaif009
formie's unauthenticated front-end submission editing can overwrite existing submissions High
CVE-2026-47266 was published for verbb/formie (Composer) May 29, 2026
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs High
CVE-2026-47260 was published for phanan/koel (Composer) May 29, 2026
EndlssNightmare Credited to EndlssNightmare
ezsystems/ezpublish-legacy has a SQL injection in dfscleanup High
CVE-2026-38739 was published for ezsystems/ezpublish-legacy (Composer) May 29, 2026
Goaterino Credited to Goaterino
Froxlor has an incomplete fix for CVE-2026-30932 High
CVE-2026-41237 was published for froxlor/froxlor (Composer) May 29, 2026
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement High
CVE-2026-41235 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save High
CVE-2026-5394 was published for pimcore/pimcore (Composer) May 28, 2026
researchatfluidattacks Credited to researchatfluidattacks
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database