Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,251 advisories

Loading
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) Moderate
CVE-2026-46638 was published for twig/twig (Composer) May 21, 2026
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name Moderate
CVE-2026-46634 was published for twig/twig (Composer) May 21, 2026
Snappy : SSRF and local file read via the xsl-style-sheet option Moderate
CVE-2026-46683 was published for knplabs/knp-snappy (Composer) May 21, 2026
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service Moderate
CVE-2026-45802 was published for setasign/fpdi (Composer) May 19, 2026
esnard Credited to esnard
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
AVideo: Authenticated Arbitrary File Read in view/update.php Moderate
CVE-2026-45731 was published for WWBN/AVideo (Composer) May 18, 2026
pr3ungdt Credited to pr3ungdt
Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens Moderate
CVE-2026-45701 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, alexander-schranz, and Prokyonn mamazu mamazu
alexander-schranz alexander-schranz Prokyonn Prokyonn
shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption Moderate
GHSA-9rh9-hf3w-9fgg was published for shopper/cart (Composer) May 18, 2026
baradika Credited to baradika
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations Moderate
CVE-2026-45139 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule Moderate
CVE-2026-45138 was published for ci4-cms-erp/ci4ms (Composer) May 18, 2026
offset Credited to offset
Statamic CMS: Server-Side Request Forgery via Glide Moderate
CVE-2026-45660 was published for statamic/cms (Composer) May 18, 2026
haoit Credited to haoit
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024` Moderate
CVE-2026-45620 was published for WWBN/AVideo (Composer) May 18, 2026
SnailSploit Credited to SnailSploit
phpMyFAQ: Path traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
CVE-2026-45008 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
CVE-2026-46360 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
CVE-2026-46363 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags Moderate
CVE-2026-46365 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check Moderate
CVE-2026-45009 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf` Moderate
CVE-2026-45619 was published for WWBN/AVideo (Composer) May 15, 2026
SnailSploit Credited to SnailSploit
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute Moderate
CVE-2026-45580 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option Moderate
CVE-2026-23695 was published for cockpit-hq/cockpit (Composer) May 15, 2026
SimpleSAMLphp casserver: Open Redirect in logout Moderate
CVE-2025-65954 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
pradtke Credited to pradtke
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API Moderate
CVE-2026-42070 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, and dregad TristanInSec TristanInSec
dregad dregad
MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field Moderate
CVE-2026-41897 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page Moderate
CVE-2026-40598 was published for mantisbt/mantisbt (Composer) May 11, 2026
siunam321 Credited to siunam321 and dregad dregad dregad
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database