GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
3,401 advisories
Filter by severity
symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Moderate
CVE-2026-49211
was published
for
symfony/ux-autocomplete
(Composer)
Jun 19, 2026
symfony/ux-live-component: XSS via attacker-controlled child component tag
Moderate
CVE-2026-49210
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor
Moderate
CVE-2026-49208
was published
for
symfony/ux-live-component
(Composer)
Jun 19, 2026
Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module
Moderate
CVE-2026-55745
was published
for
cotonti/cotonti
(Composer)
Jun 18, 2026
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Moderate
CVE-2026-55767
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
Moderate
CVE-2026-55766
was published
for
guzzlehttp/psr7
(Composer)
Jun 19, 2026
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Moderate
CVE-2026-55568
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
canto-saas-api: OAuth credentials exposed in URL query string and exception messages
Moderate
CVE-2026-55375
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Moderate
CVE-2026-55374
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Moderate
GHSA-5739-39v2-5754
was published
for
web-token/jwt-framework
(Composer)
Jun 18, 2026
PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption
Moderate
GHSA-6vvh-pxr4-25r7
was published
for
web-token/jwt-experimental
(Composer)
Jun 18, 2026
spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Moderate
GHSA-2jx3-65f3-xr8r
was published
for
spomky-labs/otphp
(Composer)
Jun 18, 2026
Kirby: Access to files of top-level drafts is not protected by permissions
Moderate
CVE-2026-54004
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
Kirby: Request header injection in `Http\Remote`
Moderate
CVE-2026-50188
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
Kirby: `pages.access` permission is not checked in the pages picker for parent pages
Moderate
CVE-2026-49274
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
Moderate
CVE-2026-55890
was published
for
getgrav/grav
(Composer)
Jun 18, 2026
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Moderate
CVE-2026-55885
was published
for
getgrav/grav
(Composer)
Jun 18, 2026
Laravel Framework: Temporary Signed URL Path Confusion
Moderate
GHSA-crmm-hgp2-wgrp
was published
for
laravel/framework
(Composer)
Jun 17, 2026
October Rain has Stored XSS via SVG Filter Bypass
Moderate
CVE-2026-25133
was published
for
october/rain
(Composer)
Apr 14, 2026
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Moderate
CVE-2026-25125
was published
for
october/rain
(Composer)
Apr 14, 2026
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Moderate
CVE-2026-48784
was published
for
symfony/routing
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Moderate
CVE-2026-48760
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Moderate
CVE-2026-48747
was published
for
symfony/mailomat-mailer
(Composer)
Jun 15, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
Moderate
CVE-2026-48761
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API