GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,746 advisories
Filter by severity
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
High
CVE-2026-54087
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 14, 2026
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
High
CVE-2026-45263
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
High
CVE-2026-45693
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
High
CVE-2026-55372
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
High
CVE-2026-54065
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
High
CVE-2026-54064
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
High
CVE-2026-49259
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Unauthenticated Reflected XSS in Comment Module
High
CVE-2026-48118
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
YesWiki has Authenticated SQL Injection via ReactionManager
High
CVE-2026-52775
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`)
High
CVE-2026-52771
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
High
CVE-2026-52770
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`
High
CVE-2026-52769
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)`
High
CVE-2026-52767
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
High
CVE-2026-52762
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
laravel-backup-restore has an OS Command Injection during database restore
High
CVE-2026-53932
was published
for
wnx/laravel-backup-restore
(Composer)
Jul 9, 2026
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
High
GHSA-86vw-x4ww-x467
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
EGroupware has Authenticated RCE via Malicious eTemplate Upload
High
CVE-2026-40187
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
High
CVE-2026-55794
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
High
CVE-2026-55790
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
High
CVE-2026-49284
was published
for
simplesamlphp/simplesamlphp
(Composer)
Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform
High
CVE-2026-49289
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass
High
CVE-2026-49283
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
High
CVE-2026-50282
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API