Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

361 advisories

Loading
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
Cockpit has NoSQL Injection Through Content Aggregation Pipelines Low
CVE-2026-6626 was published for cockpit-hq/cockpit (Composer) Apr 20, 2026
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler Low
GHSA-3jp4-mhh4-gcgr was published for kimai/kimai (Composer) Apr 14, 2026
morimori-dev Credited to morimori-dev
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments Low
CVE-2026-32270 was published for craftcms/commerce (Composer) Apr 14, 2026
tianluov Credited to tianluov
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
REDAXO has reflected XSS backend packages API via function parameter (CSRF token required) Low
GHSA-xq4j-g85q-wf97 was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required) Low
GHSA-m662-8jrj-cw6v was published for redaxo/source (Composer) Apr 10, 2026
NumberOreo1 Credited to NumberOreo1
PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state Low
GHSA-f9jp-856v-8642 was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
kostamax27 Credited to kostamax27 and dktapps dktapps dktapps
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php Low
CVE-2026-35448 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler Low
CVE-2026-35537 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments Low
CVE-2026-35538 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Krayin CRM is vulnerable to Cross-site Scripting (XSS) Low
CVE-2026-5370 was published for krayin/laravel-crm (Composer) Apr 2, 2026
Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config Low
GHSA-3h6j-9x8m-rg3g was published for j0k3r/graby (Composer) Mar 31, 2026
tikket1 Credited to tikket1
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata Low
GHSA-44px-qjjc-xrhq was published for craftcms/cms (Composer) Mar 26, 2026
GCXWLP Credited to GCXWLP
PrestaShop: Improper Use of Validation Framework Low
CVE-2026-33674 was published for prestashop/prestashop (Composer) Mar 25, 2026
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users Low
CVE-2026-33161 was published for craftcms/cms (Composer) Mar 24, 2026
Susen2 Credited to Susen2
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL Low
CVE-2026-33160 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php Low
CVE-2026-33296 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Broken Access Control in extension "Redirect Tab" (redirect_tab) Low
CVE-2026-4202 was published for ayacoo/redirect-tab (Composer) Mar 17, 2026
Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability Low
CVE-2026-32266 was published for craftcms/google-cloud (Composer) Mar 16, 2026
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page Low
GHSA-g3hp-vvqf-8vw6 was published for craftcms/cms (Composer) Mar 11, 2026
mHe4am Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database