GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
20 advisories
Filter by severity
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose
Moderate
CVE-2026-45016
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Mautic vulnerable to Path Traversal via Campaign Import
Critical
CVE-2026-9559
was published
for
mautic/core
(Composer)
Jul 2, 2026
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components
Moderate
GHSA-2wwr-9x6f-88gp
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 1, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
Moderate
CVE-2026-45139
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 18, 2026
Duplicate Advisory: phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
High
GHSA-rmqr-h98c-qg2m
was published
for
phpMyFAQ/phpMyFAQ
(Composer)
May 15, 2026
•
withdrawn
Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override
High
CVE-2026-42845
was published
for
getgrav/grav-plugin-form
(Composer)
May 6, 2026
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
High
CVE-2026-30940
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
High
CVE-2026-33354
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
Moderate
CVE-2025-64714
was published
for
privatebin/privatebin
(Composer)
Nov 14, 2025
HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
Moderate
CVE-2025-49138
was published
for
elmsln/haxcms
(Composer)
Jun 9, 2025
Remote code execution in web server context
High
CVE-2024-37295
was published
for
aimeos/aimeos-core
(Composer)
Jun 5, 2024
timber/timber vulnerable to Deserialization of Untrusted Data
High
CVE-2024-29800
was published
for
timber/timber
(Composer)
Apr 12, 2024
Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE
Critical
GHSA-97m3-52wr-xvv2
was published
for
phenx/php-svg-lib
(Composer)
Feb 22, 2024
php-svg-lib lacks path validation on font through SVG inline styles
Moderate
CVE-2024-25117
was published
for
phenx/php-svg-lib
(Composer)
Feb 21, 2024
Moodle External Control of File Name or Path vulnerability
Moderate
CVE-2023-30943
was published
for
moodle/moodle
(Composer)
May 2, 2023
TeamPass External Control of File Name or Path vulnerability
High
CVE-2023-1070
was published
for
nilsteampassnet/teampass
(Composer)
Feb 27, 2023
Dompdf before v2.0.0 vulnerable to chroot check bypass
Moderate
CVE-2022-2400
was published
for
dompdf/dompdf
(Composer)
Jul 19, 2022
Upload whitelisted files to any directory in OctoberCMS
Low
CVE-2020-5297
was published
for
october/cms
(Composer)
Jun 3, 2020
Arbitrary File Deletion vulnerability in OctoberCMS
Moderate
CVE-2020-5296
was published
for
october/cms
(Composer)
Jun 3, 2020
ProTip!
Advisories are also available from the
GraphQL API