GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,029 advisories
symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest
High
CVE-2026-55878
was published
for
symfony/ux-toolkit
(Composer)
Jun 19, 2026
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
Moderate
CVE-2026-55877
was published
for
symfony/ux-icons
(Composer)
Jun 19, 2026
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
Moderate
CVE-2026-55795
was published
for
craftcms/commerce
(Composer)
Jun 19, 2026
Craft Commerce: Partial Payment Amount Without Lower Bound Validation
Moderate
GHSA-78vr-q6cf-c7p6
was published
for
craftcms/commerce
(Composer)
Jun 19, 2026
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Critical
CVE-2026-55791
was published
for
craftcms/cms
(Composer)
Jun 19, 2026
symfony/ux-autocomplete: XSS via unescaped AJAX response data
Moderate
CVE-2026-49216
was published
for
symfony/ux-autocomplete
(Composer)
Jun 19, 2026
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted
Low
CVE-2026-49215
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding
Low
CVE-2026-49212
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Moderate
CVE-2026-49211
was published
for
symfony/ux-autocomplete
(Composer)
Jun 19, 2026
symfony/ux-live-component: XSS via attacker-controlled child component tag
Moderate
CVE-2026-49210
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
symfony/ux-live-component: Denial of service via unbounded batch action requests
Low
CVE-2026-49209
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor
Moderate
CVE-2026-49208
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Moderate
CVE-2026-55767
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
Moderate
CVE-2026-55766
was published
for
guzzlehttp/psr7
(Composer)
Jun 19, 2026
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Moderate
CVE-2026-55568
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
canto-saas-api: OAuth credentials exposed in URL query string and exception messages
Moderate
CVE-2026-55375
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Moderate
CVE-2026-55374
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
High
GHSA-jc38-x7x8-2xc8
was published
for
web-token/jwt-framework
(Composer)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API