GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
429 advisories
Filter by severity
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection
Low
GHSA-gq4g-fpc9-vjfq
was published
for
web-auth/webauthn-lib
(Composer)
Jul 7, 2026
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Low
GHSA-j5mc-p8qg-39j7
was published
for
kimai/kimai
(Composer)
Jul 2, 2026
Kimai Password Reset Link Remains Valid After Password Change
Low
GHSA-m492-gv72-xvxj
was published
for
kimai/kimai
(Composer)
Jul 1, 2026
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output
Low
GHSA-hwmc-r6mf-jh83
was published
for
spatie/schema-org
(Composer)
Jul 1, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Low
CVE-2026-48805
was published
for
twig/twig
(Composer)
Jun 30, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL
Low
CVE-2026-55542
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has Improper Authorization in File Deletion (IDOR)
Low
CVE-2026-55519
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing
Low
CVE-2026-48488
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 23, 2026
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted
Low
CVE-2026-49215
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding
Low
CVE-2026-49212
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
symfony/ux-live-component: Denial of service via unbounded batch action requests
Low
CVE-2026-49209
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
TYPO3 CMS has Broken Access Control in its File Abstraction Layer
Low
CVE-2026-49738
was published
for
typo3/cms-core
(Composer)
Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting
Low
CVE-2026-47344
was published
for
typo3/html-sanitizer
(Composer)
Jun 12, 2026
Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Low
CVE-2026-47730
was published
for
twig/twig
(Composer)
Jun 5, 2026
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Low
CVE-2026-48011
was published
for
shopware/core
(Composer)
Jun 4, 2026
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API
Low
CVE-2026-10215
was published
for
dolibarr/dolibarr
(Composer)
Jun 1, 2026
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form
Low
CVE-2026-46644
was published
for
symfony/polyfill
(Composer)
May 28, 2026
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
Low
CVE-2026-45756
was published
for
symfony/json-path
(Composer)
May 28, 2026
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Low
CVE-2026-45753
was published
for
symfony/html-sanitizer
(Composer)
May 28, 2026
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Low
CVE-2026-45305
was published
for
symfony/symfony
(Composer)
May 27, 2026
ProTip!
Advisories are also available from the
GraphQL API