GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
30 advisories
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
Low
GHSA-g3hp-vvqf-8vw6
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Low
CVE-2026-29177
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Inventory Location Name
Moderate
CVE-2026-29176
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
High
CVE-2026-29174
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Low
CVE-2026-29173
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
High
CVE-2026-29172
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
Moderate
CVE-2026-28782
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Moderate
CVE-2026-28781
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Critical
CVE-2026-28697
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Low
GHSA-4mgv-366x-qxvx
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
Low
GHSA-6j87-m5qx-9fqp
was published
for
craftcms/cms
(Composer)
Feb 25, 2026
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Moderate
CVE-2026-27126
was published
for
craftcms/cms
(Composer)
Feb 23, 2026
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
Moderate
CVE-2026-25496
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
High
CVE-2026-25495
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
Moderate
CVE-2026-25494
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
Moderate
CVE-2026-25493
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to Stored XSS in Entry Types Name
Low
CVE-2026-25491
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25522
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Moderate
CVE-2026-25490
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Moderate
CVE-2026-25489
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25488
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Moderate
CVE-2026-25487
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
Moderate
CVE-2026-25486
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
ProTip!
Advisories are also available from the
GraphQL API