Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,241
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,511
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

3,024 advisories

Loading
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources Moderate
CVE-2026-33294 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has Unauthenticated PGP Message Decryption via Public Endpoint Moderate
GHSA-5x2w-37xf-7962 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
GHSA-w5ff-2mjc-4phc was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration Moderate
CVE-2026-33238 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Statamic is missing authorization check on taxonomy term creation via fieldtype Moderate
CVE-2026-33177 was published for statamic/cms (Composer) Mar 18, 2026
everythingBlackkk Credited to everythingBlackkk
Statamic has a path traversal in file dictionary fieldtype Moderate
CVE-2026-33171 was published for statamic/cms (Composer) Mar 18, 2026
spbavarva Credited to spbavarva
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class Moderate
CVE-2026-1323 was published for cpsit/typo3-mailqueue (Composer) Mar 18, 2026
eliashaeussler Credited to eliashaeussler
Craft CMS Vulnerable to Stored XSS in Revision Context Menu Moderate
CVE-2026-33051 was published for craftcms/cms (Composer) Mar 18, 2026
Neosprings Credited to Neosprings
Unauthenticated Reflected XSS via innerHTML in AVideo Moderate
CVE-2026-33035 was published for wwbn/avideo (Composer) Mar 17, 2026
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php Moderate
CVE-2026-33041 was published for wwbn/avideo (Composer) Mar 17, 2026
offensiveee Credited to offensiveee
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
CVE-2026-32818 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Protection on Role Membership Date Changes Moderate
CVE-2026-32755 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions Moderate
CVE-2026-32816 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Amazon S3 for Craft CMS has an Information Disclosure vulnerability Moderate
CVE-2026-32265 was published for craftcms/aws-s3 (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Craft CMS has a Path Traversal Vulnerability in AssetsController Moderate
CVE-2026-32262 was published for craftcms/cms (Composer) Mar 16, 2026
Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler Moderate
CVE-2026-4175 was published for aureuserp/aureuserp (Composer) Mar 16, 2026
Statamic vulnerable to privilege escalation via stored cross-site scripting Moderate
CVE-2026-32612 was published for statamic/cms (Composer) Mar 13, 2026
Shirshaw64p Credited to Shirshaw64p
Shopware has user enumeration via distinct error codes on Store API login endpoint Moderate
CVE-2026-31888 was published for shopware/core (Composer) Mar 11, 2026
bugbunny-research Credited to bugbunny-research
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Moderate
CVE-2026-31859 was published for craftcms/cms (Composer) Mar 11, 2026
Sylius has a DQL Injection via API Order Filters Moderate
CVE-2026-31825 was published for sylius/sylius (Composer) Mar 11, 2026
Neosprings Credited to Neosprings and bnBart bnBart bnBart
Sylius Vulnerable to Authenticated Stored XSS Moderate
CVE-2026-31823 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database