Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,855 advisories

Loading
Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation High
CVE-2026-46640 was published for twig/twig (Composer) May 21, 2026
Twig: Sandbox property and method bypass via object-destructuring assignment High
CVE-2026-46639 was published for twig/twig (Composer) May 21, 2026
Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411) Moderate
CVE-2026-46638 was published for twig/twig (Composer) May 21, 2026
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` Low
CVE-2026-46637 was published for twig/cssinliner-extra (Composer) May 21, 2026
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name Moderate
CVE-2026-46634 was published for twig/twig (Composer) May 21, 2026
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments Low
CVE-2026-46629 was published for twig/intl-extra (Composer) May 21, 2026
Twig: The `spaceless` filter implicitly marks its output as safe Low
CVE-2026-46628 was published for twig/twig (Composer) May 21, 2026
Snappy: Binary path is never shell-escaped due to an inverted is_executable check High
CVE-2026-46643 was published for KnpLabs/knp-snappy (Composer) May 21, 2026
Snappy : SSRF and local file read via the xsl-style-sheet option Moderate
CVE-2026-46683 was published for knplabs/knp-snappy (Composer) May 21, 2026
phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration High
GHSA-w9xh-5f39-vq89 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
phpMyFAQ: Default Empty API Token Authentication Bypass High
GHSA-gp95-j463-vv28 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
guayu-kakeru Credited to guayu-kakeru
phpMyFAQ: IDOR Account Takeover High
GHSA-xvp4-phqj-cjr3 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation High
GHSA-9qv9-8xv6-5p35 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
kitu232 Credited to kitu232
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service Moderate
CVE-2026-45802 was published for setasign/fpdi (Composer) May 19, 2026
esnard Credited to esnard
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs High
CVE-2026-45793 was published for composer/composer (Composer) May 19, 2026
damienwebdev Credited to damienwebdev and kesselb kesselb kesselb
AVideo: Authenticated Arbitrary File Read in view/update.php Moderate
CVE-2026-45731 was published for WWBN/AVideo (Composer) May 18, 2026
pr3ungdt Credited to pr3ungdt
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens Moderate
CVE-2026-45701 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, alexander-schranz, and Prokyonn mamazu mamazu
alexander-schranz alexander-schranz Prokyonn Prokyonn
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
LibreNMS: Cross-Site Scripting in ShowConfigController Low
CVE-2026-2728 was published for librenms/librenms (Composer) May 18, 2026
YuriNek0 Credited to YuriNek0
shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption Moderate
GHSA-9rh9-hf3w-9fgg was published for shopper/cart (Composer) May 18, 2026
baradika Credited to baradika
shopper/framework: Authorization bypass in multiple Livewire admin components High
GHSA-f946-9qp6-vgch was published for shopper/framework (Composer) May 18, 2026
baradika Credited to baradika
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database