GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
429 advisories
Filter by severity
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API
Low
CVE-2026-10215
was published
for
dolibarr/dolibarr
(Composer)
Jun 1, 2026
Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection
Low
GHSA-gq4g-fpc9-vjfq
was published
for
web-auth/webauthn-lib
(Composer)
Jul 7, 2026
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Low
GHSA-j5mc-p8qg-39j7
was published
for
kimai/kimai
(Composer)
Jul 2, 2026
Kimai Password Reset Link Remains Valid After Password Change
Low
GHSA-m492-gv72-xvxj
was published
for
kimai/kimai
(Composer)
Jul 1, 2026
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output
Low
GHSA-hwmc-r6mf-jh83
was published
for
spatie/schema-org
(Composer)
Jul 1, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Low
CVE-2026-48805
was published
for
twig/twig
(Composer)
Jun 30, 2026
Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme
Low
CVE-2026-8353
was published
for
concrete5/concrete5
(Composer)
May 26, 2026
Concrete CMS is vulnerable to CSRF via Backend\File::approveVersion
Low
CVE-2026-8340
was published
for
concrete5/concrete5
(Composer)
May 26, 2026
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog
Low
CVE-2026-8347
was published
for
concrete5/concrete5
(Composer)
May 26, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()
Low
CVE-2026-8435
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()
Low
CVE-2026-8434
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()
Low
CVE-2026-8433
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()
Low
CVE-2026-8432
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
Low
CVE-2026-8427
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
Low
CVE-2026-8416
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder
Low
CVE-2026-8415
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
Low
CVE-2026-8413
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate
Low
CVE-2026-8414
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache
Low
CVE-2026-8412
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete
Low
CVE-2026-8411
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
ProTip!
Advisories are also available from the
GraphQL API