Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,653 advisories

Loading
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs High
CVE-2026-39369 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
October CMS has Stored XSS in Backend Editor Markup Classes Moderate
CVE-2026-24906 was published for october/system (Composer) Apr 14, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Stored XSS in Event Log Mail Preview Moderate
CVE-2026-24907 was published for october/system (Composer) Apr 14, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
WWBN AVideo: RCE cause by clonesite plugin High
CVE-2026-41304 was published for wwbn/avideo (Composer) Apr 16, 2026
Rangar0k Credited to Rangar0k
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
CVE-2026-41247 was published for studio-42/elfinder (Composer) Apr 17, 2026
mcdruid Credited to mcdruid
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() Moderate
CVE-2026-41233 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing Moderate
CVE-2026-41232 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
CVE-2026-41231 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
CVE-2026-41230 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
CVE-2026-41229 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution Critical
CVE-2026-41228 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Statamic: Unsafe method invocation via query value resolution allows data destruction High
CVE-2026-41175 was published for statamic/cms (Composer) Apr 16, 2026
joshuaalwin Credited to joshuaalwin and kodareef5 kodareef5 kodareef5
graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation Moderate
CVE-2026-40476 was published for webonyx/graphql-php (Composer) Apr 14, 2026
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives Moderate
CVE-2026-40301 was published for rhukster/dom-sanitizer (Composer) Apr 10, 2026
morimori-dev Credited to morimori-dev
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
CVE-2026-41130 was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
CVE-2026-41129 was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action Moderate
CVE-2026-41128 was published for craftcms/cms (Composer) Apr 14, 2026
kaminuma Credited to kaminuma
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
CVE-2026-41064 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
CVE-2026-41063 was published for wwbn/avideo (Composer) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database