GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
3,401 advisories
Filter by severity
Sylius: IDOR on Shop Payment Request API endpoints
Moderate
CVE-2026-53639
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint
Moderate
CVE-2026-53638
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Moderate
CVE-2026-53637
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
Moderate
CVE-2026-52774
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php`
Moderate
CVE-2026-52773
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
Moderate
CVE-2026-52772
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read
Moderate
CVE-2026-52763
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
Potential XSS vulnerability in jQuery
Moderate
CVE-2020-11022
was published
for
athlon1600/youtube-downloader
(RubyGems)
Apr 29, 2020
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload
Moderate
CVE-2026-27621
was published
for
typicms/core
(Composer)
Feb 25, 2026
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests
Moderate
CVE-2026-53760
was published
for
admidio/admidio
(Composer)
Jul 9, 2026
Sharp Missing Authorization Check in Quick Creation Command Endpoints
Moderate
CVE-2026-53634
was published
for
code16/sharp
(Composer)
Jul 8, 2026
phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Moderate
CVE-2026-55599
was published
for
phpseclib/phpseclib
(Composer)
Jun 16, 2026
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose
Moderate
CVE-2026-45016
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Craft CMS: Stored XSS via Structure entry title in table view
Moderate
CVE-2026-55793
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: Sensitive File Disclosure / Server-Side File Read
Moderate
CVE-2026-55792
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
Moderate
GHSA-x76w-8c62-48mg
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Spatie Laravel Media Library contains a server-side request forgery vulnerability
Moderate
CVE-2026-48555
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
Mautic has Stored Cross-Site Scripting (XSS) in Project Option Selector
Moderate
CVE-2026-9811
was published
for
mautic/core
(Composer)
Jul 2, 2026
Mautic Focus component Vulnerable to SSRF
Moderate
CVE-2026-9557
was published
for
mautic/core
(Composer)
Jul 2, 2026
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API
Moderate
GHSA-q4rm-m6xh-5pv7
was published
for
froxlor/froxlor
(Composer)
Jul 2, 2026
Froxlor: Authenticated customers can read other customers' allowed sender aliases
Moderate
GHSA-mr9h-45p9-fg8h
was published
for
froxlor/froxlor
(Composer)
Jul 2, 2026
Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
Moderate
CVE-2026-50283
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check
Moderate
CVE-2026-50280
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components
Moderate
GHSA-2wwr-9x6f-88gp
was published
for
easycorp/easyadmin-bundle
(Composer)
Jul 1, 2026
Paymenter has race condition in payWithCredit() that enables credit double-spend
Moderate
CVE-2026-55219
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
ProTip!
Advisories are also available from the
GraphQL API