GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,277
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,188 advisories
Filter by severity
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function
High
CVE-2026-52854
was published
for
mediawiki/maps
(Composer)
Jul 2, 2026
Kimai Password Reset Link Remains Valid After Password Change
Low
GHSA-m492-gv72-xvxj
was published
for
kimai/kimai
(Composer)
Jul 1, 2026
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
High
CVE-2026-49981
was published
for
twig/twig
(Composer)
Jul 1, 2026
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output
Low
GHSA-hwmc-r6mf-jh83
was published
for
spatie/schema-org
(Composer)
Jul 1, 2026
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components
Moderate
GHSA-2wwr-9x6f-88gp
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 1, 2026
Paymenter has race condition in payWithCredit() that enables credit double-spend
Moderate
CVE-2026-55219
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Moderate
CVE-2026-48808
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Moderate
CVE-2026-48807
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Moderate
CVE-2026-48806
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Low
CVE-2026-48805
was published
for
twig/twig
(Composer)
Jun 30, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to CSV formula injection in form submission exports
Moderate
CVE-2026-54243
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
High
GHSA-7vfx-4246-jcfh
was published
for
solidinvoice/solidinvoice
(Composer)
Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction
High
CVE-2026-49287
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Moderate
CVE-2026-49359
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards
High
GHSA-985r-q3qp-299h
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 26, 2026
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Moderate
GHSA-q683-8468-r6h6
was published
for
web-auth/webauthn-symfony-bundle
(Composer)
Jun 26, 2026
CakePHP: View::element() is missing a path containment check
Moderate
CVE-2026-48820
was published
for
cakephp/cakephp
(Composer)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API