GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,735 advisories
Filter by severity
YesWiki has Authenticated SQL Injection via ReactionManager
High
CVE-2026-52775
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`)
High
CVE-2026-52771
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
High
CVE-2026-52770
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`
High
CVE-2026-52769
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)`
High
CVE-2026-52767
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
High
CVE-2026-52762
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
laravel-backup-restore has an OS Command Injection during database restore
High
CVE-2026-53932
was published
for
wnx/laravel-backup-restore
(Composer)
Jul 9, 2026
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
High
GHSA-86vw-x4ww-x467
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
EGroupware has Authenticated RCE via Malicious eTemplate Upload
High
CVE-2026-40187
was published
for
egroupware/egroupware
(Composer)
Jul 7, 2026
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
High
CVE-2026-55794
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
High
CVE-2026-55790
was published
for
craftcms/cms
(Composer)
Jul 6, 2026
SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
High
CVE-2026-49284
was published
for
simplesamlphp/simplesamlphp
(Composer)
Jul 2, 2026
SimpleSAMLphp has Possible DoS via XPath Transform
High
CVE-2026-49289
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass
High
CVE-2026-49283
was published
for
simplesamlphp/saml2
(Composer)
Jul 2, 2026
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
High
CVE-2026-50282
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
High
CVE-2026-50281
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Mautic has Stored Cross-Site Scripting (XSS) in Projects Component
High
CVE-2026-9809
was published
for
mautic/core
(Composer)
Jul 2, 2026
Mautic has an Authorization Bypass in API v2 Endpoints
High
CVE-2026-9808
was published
for
mautic/core
(Composer)
Jul 2, 2026
Mautic has SQL Injection in API Contact Filtering
High
CVE-2026-4776
was published
for
mautic/core
(Composer)
Jul 2, 2026
Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
High
CVE-2026-50284
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap
High
CVE-2026-50279
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function
High
CVE-2026-52854
was published
for
mediawiki/maps
(Composer)
Jul 2, 2026
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
High
CVE-2026-49981
was published
for
twig/twig
(Composer)
Jul 1, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
High
GHSA-7vfx-4246-jcfh
was published
for
solidinvoice/solidinvoice
(Composer)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API