Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,234 advisories

Loading
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization Critical
CVE-2025-49113 was published for roundcube/roundcubemail (Composer) Jun 2, 2025
Malayke
Credited to Malayke
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection Moderate
CVE-2026-27568 was published for wwbn/avideo (Composer) Feb 20, 2026
arkmarta
Credited to arkmarta
Kimai contains a SameSite cookie vulnerability High
CVE-2023-53957 was published for kimai/kimai (Composer) Dec 19, 2025
LibreNMS /port-groups name Stored Cross-Site Scripting Moderate
CVE-2026-26992 was published for librenms/librenms (Composer) Feb 18, 2026
wsparks-vulncheck awoffsec
Credited to wsparks-vulncheck and awoffsec
LibreNMS /device-groups name Stored Cross-Site Scripting Moderate
CVE-2026-26991 was published for librenms/librenms (Composer) Feb 18, 2026
wsparks-vulncheck awoffsec
Credited to wsparks-vulncheck and awoffsec
LibreNMS has a Stored XSS in Alert Rule Moderate
CVE-2026-26989 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz
Credited to quirmz
LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags() Moderate
CVE-2026-27016 was published for librenms/librenms (Composer) Feb 18, 2026
decsecre583
Credited to decsecre583
LibreNMS affected by reflected xss via email field Moderate
CVE-2026-26987 was published for librenms/librenms (Composer) Feb 18, 2026
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc jrbasso
cjsaylor
Credited to TheDeepOpc, jrbasso, and cjsaylor
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k DaneEveritt
Credited to duddnr0615k and DaneEveritt
Formwork Improperly Managed Privileges in User creation High
CVE-2026-27198 was published for getformwork/formwork (Composer) Feb 19, 2026
G3XAR
Credited to G3XAR
Statamic affected by privilege escalation via stored cross-site scripting High
CVE-2026-27196 was published for statamic/cms (Composer) Feb 19, 2026
genneta
Credited to genneta
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags Moderate
CVE-2025-65956 was published for getformwork/formwork (Composer) Nov 24, 2025
3m4n5
Credited to 3m4n5
Formwork improperly validates input of User role preventing site and panel availability High
GHSA-c85w-x26q-ch87 was published for getformwork/formwork (Composer) Mar 1, 2025
Kyokito1412 giuscris
Credited to Kyokito1412 and giuscris
Formwork has a cross-site scripting (XSS) vulnerability in Site title Moderate
GHSA-vf6x-59hh-332f was published for getformwork/formwork (Composer) Mar 1, 2025
Kyokito1412
Credited to Kyokito1412
Cross-site scripting (XSS) vulnerability in Description metadata Moderate
CVE-2024-37160 was published for getformwork/formwork (Composer) Jun 7, 2024
Kyokito1412
Credited to Kyokito1412
OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint) High
CVE-2025-69213 was published for devcode-it/openstamanager (Composer) Feb 3, 2026
lukasz-rybak
Credited to lukasz-rybak
phpMyFAQ vulnerable to Cross-site Scripting Moderate
CVE-2022-4407 was published for thorsten/phpmyfaq (Composer) Dec 11, 2022
phpMyFAQ vulnerable to reflected Cross-site Scripting Moderate
CVE-2022-3766 was published for thorsten/phpmyfaq (Composer) Oct 31, 2022
Cross-Site Request Forgery in YOURLS Low
CVE-2022-0088 was published for yourls/yourls (Composer) Apr 4, 2022
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php High
CVE-2026-26990 was published for librenms/librenms (Composer) Feb 18, 2026
quirmz
Credited to quirmz
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream. High
CVE-2026-26988 was published for librenms/librenms (Composer) Feb 18, 2026
Snow1nd
Credited to Snow1nd
php-jwt contains weak encryption High
CVE-2025-45769 was published for firebase/php-jwt (Composer) Jul 31, 2025
wizardist
Credited to wizardist
Shopware's session is persistent in Cache for 404 pages High
CVE-2024-27917 was published for shopware/platform (Composer) Mar 6, 2024
sunnypatell
Credited to sunnypatell
Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting Moderate
CVE-2024-47186 was published for filament/infolists (Composer) Sep 27, 2024
sv-LayZ danharrin
sunnypatell
Credited to sv-LayZ, danharrin, and sunnypatell
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database