Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,044
Maven
5,000+
npm
4,781
NuGet
825
pip
4,382
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,253 advisories

Loading
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint High
CVE-2026-27836 was published for thorsten/phpmyfaq (Composer) Feb 27, 2026
Offensive-AI Credited to Offensive-AI
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting High
CVE-2026-3105 was published for mautic/core (Composer) Feb 25, 2026
q1uf3ng Credited to q1uf3ng and patrykgruszka patrykgruszka patrykgruszka
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type Low
GHSA-6j87-m5qx-9fqp was published for craftcms/cms (Composer) Feb 25, 2026
mHe4am Credited to mHe4am
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload Moderate
CVE-2026-27621 was published for typicms/core (Composer) Feb 25, 2026
lukasz-rybak Credited to lukasz-rybak
Statamic is vulnerable to account takeover via password reset link injection Critical
CVE-2026-27593 was published for statamic/cms (Composer) Feb 24, 2026
Neosprings Credited to Neosprings
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause Moderate
CVE-2026-27461 was published for pimcore/pimcore (Composer) Feb 24, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution Moderate
CVE-2026-27129 was published for craftcms/cms (Composer) Feb 24, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit Moderate
CVE-2026-27128 was published for craftcms/cms (Composer) Feb 23, 2026
vitalysim Credited to vitalysim
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding High
CVE-2026-27127 was published for craftcms/cms (Composer) Feb 23, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS has Stored XSS in Table Field via "HTML" Column Type Moderate
CVE-2026-27126 was published for craftcms/cms (Composer) Feb 23, 2026
mHe4am Credited to mHe4am
funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function Low
CVE-2026-2898 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin: XSS through Value argument in Backend Interface component Low
CVE-2026-2897 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin has Weak Password Recovery Mechanism for Forgotten Password Low
CVE-2026-2895 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin has Incorrect Privilege Assignment in its Configuration Handler Moderate
CVE-2026-2896 was published for funadmin/funadmin (Composer) Feb 22, 2026
funadmin exposes sensitive information via getMember function Moderate
CVE-2026-2894 was published for funadmin/funadmin (Composer) Feb 22, 2026
Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits Moderate
CVE-2026-26047 was published for moodle/moodle (Composer) Feb 21, 2026
Moodle has a Remote Code Execution risk via file restore High
CVE-2026-26045 was published for moodle/moodle (Composer) Feb 21, 2026
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection Moderate
CVE-2026-27568 was published for wwbn/avideo (Composer) Feb 20, 2026
arkmarta Credited to arkmarta
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc Credited to TheDeepOpc, jrbasso, and cjsaylor jrbasso jrbasso
cjsaylor cjsaylor
Formwork Improperly Managed Privileges in User creation High
CVE-2026-27198 was published for getformwork/formwork (Composer) Feb 19, 2026
G3XAR Credited to G3XAR
Statamic affected by privilege escalation via stored cross-site scripting High
CVE-2026-27196 was published for statamic/cms (Composer) Feb 19, 2026
genneta Credited to genneta
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php High
CVE-2026-26990 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz Credited to quirmz
LibreNMS has a Stored XSS in Alert Rule Moderate
CVE-2026-26989 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz Credited to quirmz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database