GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
623 advisories
Filter by severity
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Critical
CVE-2026-52778
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
Critical
CVE-2026-52777
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action
Critical
CVE-2026-52766
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
EGroupware has a Remote Code Execution Vulnerability
Critical
CVE-2026-27823
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Formie Hidden field defaults vulnerable to Server-Side Template Injection
Critical
CVE-2026-52889
was published
for
verbb/formie
(Composer)
Jul 6, 2026
Mautic vulnerable to Path Traversal via Campaign Import
Critical
CVE-2026-9559
was published
for
mautic/core
(Composer)
Jul 2, 2026
Mautic has Server-Side Template Injection (SSTI) in Theme Templates
Critical
CVE-2026-9558
was published
for
mautic/core
(Composer)
Jul 2, 2026
Paymenter vulnerable to Remote Code Execution via public file uploads
Critical
CVE-2025-58048
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Critical
CVE-2026-55791
was published
for
craftcms/cms
(Composer)
Jun 19, 2026
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Critical
CVE-2026-54003
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
Cotonti: Cross-Site Request Forgery in the administration rights handler
Critical
CVE-2026-55742
was published
for
cotonti/cotonti
(Composer)
Jun 18, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
Critical
CVE-2026-48062
was published
for
codeigniter4/framework
(Composer)
Jun 11, 2026
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter
Critical
CVE-2026-48030
was published
for
pheditor/pheditor
(Composer)
Jun 9, 2026
PHPSpreadsheet has a patch bypass for CVE-2026-34084
Critical
CVE-2026-45034
was published
for
phpoffice/phpspreadsheet
(Composer)
Jun 8, 2026
Shopper: Authorization bypass and RBAC privilege escalation in team settings
Critical
CVE-2026-47744
was published
for
shopper/framework
(Composer)
Jun 5, 2026
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
Critical
CVE-2026-54458
was published
for
WWBN/AVideo
(Composer)
Jun 4, 2026
Dolibarr ERP CRM contains a remote code evaluation vulnerability
Critical
CVE-2018-25357
was published
for
dolibarr/dolibarr
(Composer)
May 26, 2026
YesWiki: Unauthenticated SQL Injection
Critical
CVE-2026-46670
was published
for
yeswiki/yeswiki
(Composer)
May 22, 2026
Concrete CMS Vulnerable to Relative Path Traversal
Critical
CVE-2026-8134
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
Twig: PHP code injection via `{% use %}` template name
Critical
CVE-2026-46633
was published
for
twig/twig
(Composer)
May 21, 2026
Drupal Core has a SQL Injection issue
Critical
CVE-2026-9082
was published
for
drupal/core
(Composer)
May 20, 2026
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
Critical
CVE-2026-46725
was published
for
mmc/ceselector
(Composer)
May 19, 2026
Formie: Pre-authenticated server-side template injection in Hidden fields
Critical
CVE-2026-45697
was published
for
verbb/formie
(Composer)
May 18, 2026
Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id
Critical
GHSA-6626-79jh-5ccr
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 15, 2026
•
withdrawn
Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
Critical
GHSA-ch9q-c9mp-j5gq
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 15, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API