Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

5,218 advisories

Loading
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo
Credited to IamLeandrooooo
MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution High
GHSA-r33w-fg8j-9c94 was published for cesargb/laravel-magiclink (Composer) Feb 12, 2026
Prav33N-Sec
Credited to Prav33N-Sec
Statamic CMS vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-25759 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Phraseanet vulnerable to stored cross-site scripting through crafted file names Moderate
CVE-2018-25157 was published for phraseanet/phraseanet (Composer) Feb 11, 2026
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions Moderate
CVE-2019-25317 was published for kimai/kimai (Composer) Feb 11, 2026
amphp/http-server affected by HTTP/2 DDoS vulnerability Moderate
GHSA-8grv-jq2g-cfhw was published for amphp/http-server (Composer) Feb 10, 2026
galbarnahum
Credited to galbarnahum
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint High
CVE-2026-25892 was published for vrana/adminer (Composer) Feb 10, 2026
JoyGhoshs
Credited to JoyGhoshs
FroshAdminer Adminer UI is accessible without admin session Moderate
CVE-2026-25878 was published for frosh/adminer-platform (Composer) Feb 10, 2026
xndrdev Gugiman
Credited to xndrdev and Gugiman
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2026-25498 was published for craftcms/cms (Composer) Feb 9, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS: GraphQL Asset Mutation Privilege Escalation High
CVE-2026-25497 was published for craftcms/cms (Composer) Feb 9, 2026
vitalysim
Credited to vitalysim
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields Moderate
CVE-2026-25496 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]` High
CVE-2026-25495 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation Moderate
CVE-2026-25494 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect Moderate
CVE-2026-25493 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host Moderate
CVE-2026-25492 was published for craftcms/craft (Composer) Feb 9, 2026
LeftenantZero
Credited to LeftenantZero
Craft CMS Vulnerable to Stored XSS in Entry Types Name Low
CVE-2026-25491 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
OpenSTAManager has a SQL Injection in the Prima Nota module High
CVE-2026-24419 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module High
CVE-2026-24418 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service High
CVE-2026-24417 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module High
CVE-2026-24416 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a SQL Injection in Scadenzario Print Template High
CVE-2025-69216 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint) High
CVE-2025-69214 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
OpenSTAManager has an OS Command Injection in P7M File Processing Critical
CVE-2025-69212 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak
Credited to lukasz-rybak
Microweber has a Cross-site Scripting vulnerability Low
CVE-2025-70791 was published for microweber/microweber (Composer) Feb 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database