Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,562
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,807
Pub
13
RubyGems
1,038
Rust
1,238
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,641 advisories

Loading
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution High
CVE-2026-40488 was published for openmage/magento-lts (Composer) Apr 21, 2026
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure Moderate
CVE-2026-40098 was published for openmage/magento-lts (Composer) Apr 21, 2026
LoGGGG2402 Credited to LoGGGG2402
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
GHSA-f58v-p6j9-24c2 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
GHSA-qrr6-mg7r-m243 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
GHSA-8q4h-8crm-5cvc was published for studio-42/elfinder (Composer) Apr 17, 2026
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar High
CVE-2026-40308 was published for joedolson/my-calendar (Composer) Apr 16, 2026
minhi1 Credited to minhi1
Statamic: Unsafe method invocation via query value resolution allows data destruction High
GHSA-4jjr-vmv7-wh4w was published for statamic/cms (Composer) Apr 16, 2026
joshuaalwin Credited to joshuaalwin and kodareef5 kodareef5 kodareef5
WWBN AVideo: RCE cause by clonesite plugin High
GHSA-xr6f-h4x7-r6qp was published for wwbn/avideo (Composer) Apr 16, 2026
Rangar0k Credited to Rangar0k
Silverstripe Assets Module has a DBFile::getURL() permission bypass Moderate
CVE-2026-24749 was published for silverstripe/assets (Composer) Apr 16, 2026
Withdrawn Advisory: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-qjfj-3mm5-vrjg was published for google/protobuf (Composer) Apr 16, 2026 withdrawn
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files Critical
CVE-2026-31843 was published for goodoneuz/pay-uz (Composer) Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution Critical
GHSA-w59f-67xm-rxx7 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature Moderate
CVE-2026-40500 was published for processwire/processwire (Composer) Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
GHSA-gc9w-cc93-rjv8 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
GHSA-47hf-23pw-3m8c was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
GHSA-75h4-c557-j89r was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database