Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,831
Maven
5,000+
npm
4,462
NuGet
775
pip
4,226
Pub
12
RubyGems
972
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

5,138 advisories

Loading
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting Moderate
CVE-2026-23643 was published for cakephp/cakephp (Composer) Jan 16, 2026
phpcss-ankue markstory
Credited to phpcss-ankue and markstory
solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets Low
GHSA-rwr8-xrpw-9qf5 was published for solspace/craft-freeform (Composer) Jan 15, 2026
solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data Low
GHSA-44jg-mv3h-wj6g was published for solspace/craft-freeform (Composer) Jan 15, 2026
riekusdn
Credited to riekusdn
solspace/craft-freeform Has a DoS Vulnerability Low
GHSA-58q2-9x27-h2jm was published for solspace/craft-freeform (Composer) Jan 15, 2026
LeonBatch
Credited to LeonBatch
alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass High
CVE-2026-23622 was published for alextselegidis/easyappointments (Composer) Jan 15, 2026
faroukn
Credited to faroukn
Aimeos contains a SQL injection vulnerability in the json api 'sort' parameter High
CVE-2021-47763 was published for aimeos/aimeos-laravel (Composer) Jan 15, 2026
Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization Moderate
CVE-2026-23496 was published for pimcore/web2print-tools-bundle (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing Moderate
CVE-2026-23495 was published for pimcore/admin-ui-classic-bundle (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing Moderate
CVE-2026-23494 was published for pimcore/pimcore (Composer) Jan 15, 2026
ytlamal
Credited to ytlamal
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log High
CVE-2026-23493 was published for pimcore/pimcore (Composer) Jan 15, 2026
putzflorian
Credited to putzflorian
Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling Moderate
GHSA-595p-g7xc-c333 was published for algolia/algoliasearch-magento-2 (Composer) Jan 14, 2026
IvanChepurnyi
Credited to IvanChepurnyi
Pimcore Has an Incomplete Patch for CVE-2023-30848 High
CVE-2026-23492 was published for pimcore/pimcore (Composer) Jan 14, 2026
Snow1nd
Credited to Snow1nd
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2026-23498 was published for shopware/core (Composer) Jan 14, 2026
lukasz-rybak
Credited to lukasz-rybak
Concrete5 CMS contains an XPath injection vulnerability Moderate
CVE-2022-50807 was published for concrete5/concrete5 (Composer) Jan 14, 2026
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool Moderate
CVE-2026-0859 was published for typo3/cms-core (Composer) Jan 13, 2026
TYPO3 CMS Allows Broken Access Control in Recycler Module High
CVE-2025-59022 was published for typo3/cms-recycler (Composer) Jan 13, 2026
TYPO3 CMS Allows Broken Access Control in Redirects Module Moderate
CVE-2025-59021 was published for typo3/cms-redirects (Composer) Jan 13, 2026
TYPO3 CMS Allows Broken Access Control in Edit Document Controller Moderate
CVE-2025-59020 was published for typo3/cms-backend (Composer) Jan 13, 2026
October CMS Vulnerable to Stored XSS via Branding Styles Moderate
CVE-2025-61676 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
October CMS Vulnerable to Stored XSS via Editor and Branding Styles Moderate
CVE-2025-61674 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
Kirby is missing permission checks in the content changes API Moderate
CVE-2026-21896 was published for getkirby/cms (Composer) Jan 8, 2026
lukaskleinschmidt
Credited to lukaskleinschmidt
CoreShop Vulnerable to SQL Injection via Admin Reports Moderate
CVE-2026-22242 was published for coreshop/core-shop (Composer) Jan 7, 2026
PlyNatwara bypazs
Credited to PlyNatwara and bypazs
Pterodactyl TOTPs can be reused during validity window Moderate
CVE-2025-69197 was published for pterodactyl/panel (Composer) Jan 6, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read High
CVE-2026-21857 was published for redaxo/source (Composer) Jan 5, 2026
lukasz-rybak
Credited to lukasz-rybak
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database