GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
378 advisories
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation
Low
CVE-2026-27964
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Sulu: Used API Keys may be available via Admin API
Low
GHSA-9m6v-8fxc-4r44
was published
for
sulu/sulu
(Composer)
May 18, 2026
LibreNMS: Cross-Site Scripting in ShowConfigController
Low
CVE-2026-2728
was published
for
librenms/librenms
(Composer)
May 18, 2026
Kimai has Missing Object-Level Authorization in the Team API
Low
CVE-2026-41498
was published
for
kimai/kimai
(Composer)
Apr 24, 2026
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send
Low
CVE-2026-41663
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment
Low
CVE-2026-41659
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Grav has Insecure Deserialization in File Cache
Low
CVE-2026-7317
was published
for
getgrav/grav
(Composer)
May 5, 2026
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
Low
CVE-2026-40194
was published
for
phpseclib/phpseclib
(Composer)
Apr 10, 2026
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy
Low
GHSA-h4fw-6r7f-w494
was published
for
web-auth/webauthn-framework
(Composer)
May 7, 2026
October CMS: Reflected XSS via DataTable Form Widget
Low
CVE-2026-27937
was published
for
october/system
(Composer)
Apr 21, 2026
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API