Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

3,401 advisories

Loading
symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil Moderate
CVE-2026-49211 was published for symfony/ux-autocomplete (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
symfony/ux-live-component: XSS via attacker-controlled child component tag Moderate
CVE-2026-49210 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor Moderate
CVE-2026-49208 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
Cotonti: Cross-Site Request Forgery in the Personal File Storage (PFS) module Moderate
CVE-2026-55745 was published for cotonti/cotonti (Composer) Jun 18, 2026
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts Moderate
CVE-2026-55767 was published for guzzlehttp/guzzle (Composer) Jun 19, 2026
iliaal Credited to iliaal
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization Moderate
CVE-2026-55766 was published for guzzlehttp/psr7 (Composer) Jun 19, 2026
iliaal Credited to iliaal
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext Moderate
CVE-2026-55568 was published for guzzlehttp/guzzle (Composer) Jun 19, 2026
GrahamCampbell Credited to GrahamCampbell
canto-saas-api: OAuth credentials exposed in URL query string and exception messages Moderate
CVE-2026-55375 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables Moderate
CVE-2026-55374 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle Moderate
GHSA-5739-39v2-5754 was published for web-token/jwt-framework (Composer) Jun 18, 2026
PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption Moderate
GHSA-6vvh-pxr4-25r7 was published for web-token/jwt-experimental (Composer) Jun 18, 2026
Kirby: Access to files of top-level drafts is not protected by permissions Moderate
CVE-2026-54004 was published for getkirby/cms (Composer) Jun 18, 2026
adamyordan Credited to adamyordan
Kirby: Request header injection in `Http\Remote` Moderate
CVE-2026-50188 was published for getkirby/cms (Composer) Jun 18, 2026
Kirby: `pages.access` permission is not checked in the pages picker for parent pages Moderate
CVE-2026-49274 was published for getkirby/cms (Composer) Jun 18, 2026
CyberKareem Credited to CyberKareem
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets Moderate
CVE-2026-55885 was published for getgrav/grav (Composer) Jun 18, 2026
nicl4ssic Credited to nicl4ssic
Laravel Framework: Temporary Signed URL Path Confusion Moderate
GHSA-crmm-hgp2-wgrp was published for laravel/framework (Composer) Jun 17, 2026
teebow1e Credited to teebow1e and z3moo z3moo z3moo
October Rain has Stored XSS via SVG Filter Bypass Moderate
CVE-2026-25133 was published for october/rain (Composer) Apr 14, 2026
daftspunk Credited to daftspunk and mbadanoiu mbadanoiu mbadanoiu
October Rain has Environment Variable Exfiltration via INI Parser Interpolation Moderate
CVE-2026-25125 was published for october/rain (Composer) Apr 14, 2026
daftspunk Credited to daftspunk and mbadanoiu mbadanoiu mbadanoiu
nicolas-grekas Credited to nicolas-grekas
tob-scott-a Credited to tob-scott-a and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade Moderate
CVE-2026-48747 was published for symfony/mailomat-mailer (Composer) Jun 15, 2026
KEJJ0 Credited to KEJJ0, xpw6, Wele44, and nicolas-grekas xpw6 xpw6
Wele44 Wele44 nicolas-grekas nicolas-grekas
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes Moderate
CVE-2026-48761 was published for symfony/html-sanitizer (Composer) Jun 15, 2026
tob-scott-a Credited to tob-scott-a and nicolas-grekas nicolas-grekas nicolas-grekas
ProTip! Advisories are also available from the GraphQL API