GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
16 advisories
Filter by severity
Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
High
CVE-2026-50281
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Moderate
GHSA-2jx3-65f3-xr8r
was published
for
spomky-labs/otphp
(Composer)
Jun 18, 2026
Drupal core allows Object Injection
Moderate
CVE-2026-6366
was published
for
drupal/core
(Composer)
May 20, 2026
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Moderate
CVE-2026-40486
was published
for
kimai/kimai
(Composer)
Apr 15, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
High
CVE-2025-15602
was published
for
snipe/snipe-it
(Composer)
Mar 6, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Moderate
CVE-2026-28781
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Drupal core allows Object Injection
Moderate
CVE-2025-13081
was published
for
drupal/core
(Composer)
Nov 18, 2025
handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution
Low
CVE-2025-49597
was published
for
handcraftedinthealps/goodby-csv
(Composer)
Jun 13, 2025
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Moderate
CVE-2025-31674
was published
for
drupal/core
(Composer)
Apr 1, 2025
Drupal core contains a potential PHP Object Injection vulnerability
High
CVE-2024-55637
was published
for
drupal/core
(Composer)
Dec 10, 2024
Drupal core contains a potential PHP Object Injection vulnerability
High
CVE-2024-55638
was published
for
drupal/core
(Composer)
Dec 10, 2024
Drupal core contains a potential PHP Object Injection vulnerability
Low
CVE-2024-55636
was published
for
drupal/core
(Composer)
Dec 10, 2024
qcubed PHP object injection
Critical
CVE-2020-24914
was published
for
qcubed/qcubed
(Composer)
May 24, 2022
Class destructors causing side-effects when being unserialized in TYPO3 CMS
High
CVE-2020-11066
was published
for
typo3/cms
(Composer)
May 13, 2020
Phar object injection in PHPMailer
High
CVE-2018-19296
was published
for
phpmailer/phpmailer
(Composer)
Mar 5, 2020
ProTip!
Advisories are also available from the
GraphQL API