Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,580
Maven
5,000+
npm
5,000+
NuGet
919
pip
4,816
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,547 advisories

Loading
PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes High
GHSA-mh6w-vxff-9wqp was published for phpunit/phpunit (Composer) Apr 22, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution High
CVE-2026-40488 was published for openmage/magento-lts (Composer) Apr 21, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() High
GHSA-f58v-p6j9-24c2 was published for yeswiki/yeswiki (Composer) Apr 18, 2026
morimori-dev Credited to morimori-dev
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes High
GHSA-qrr6-mg7r-m243 was published for phpunit/phpunit (Composer) Apr 18, 2026
kayw-geek Credited to kayw-geek, sebastianbergmann, and sanmai sebastianbergmann sebastianbergmann
sanmai sanmai
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
GHSA-8q4h-8crm-5cvc was published for studio-42/elfinder (Composer) Apr 17, 2026
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar High
CVE-2026-40308 was published for joedolson/my-calendar (Composer) Apr 16, 2026
minhi1 Credited to minhi1
Statamic: Unsafe method invocation via query value resolution allows data destruction High
GHSA-4jjr-vmv7-wh4w was published for statamic/cms (Composer) Apr 16, 2026
joshuaalwin Credited to joshuaalwin and kodareef5 kodareef5 kodareef5
WWBN AVideo: RCE cause by clonesite plugin High
GHSA-xr6f-h4x7-r6qp was published for wwbn/avideo (Composer) Apr 16, 2026
Rangar0k Credited to Rangar0k
Withdrawn Advisory: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion High
GHSA-qjfj-3mm5-vrjg was published for google/protobuf (Composer) Apr 16, 2026 withdrawn
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
GHSA-47hf-23pw-3m8c was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
GHSA-75h4-c557-j89r was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
GHSA-pq8p-wc4f-vg7j was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL High
GHSA-j432-4w3j-3w8j was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
GHSA-ff5q-cc22-fgp4 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover High
GHSA-ccq9-r5cw-5hwq was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) High
GHSA-ffw8-fwxp-h64w was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials High
GHSA-vvfw-4m39-fjqf was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) High
GHSA-6rc6-p838-686f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header High
CVE-2026-39971 was published for s9y/serendipity (Composer) Apr 14, 2026
mabjr33 Credited to mabjr33
Composer has a command injection via malicious perforce repository High
CVE-2026-40176 was published for composer/composer (Composer) Apr 14, 2026
glaubinix Credited to glaubinix and Saku0512 Saku0512 Saku0512
Composer has a command injection via malicious perforce reference High
CVE-2026-40261 was published for composer/composer (Composer) Apr 14, 2026
kodareef5 Credited to kodareef5
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php High
CVE-2026-38529 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php High
CVE-2026-38532 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php High
CVE-2026-38530 was published for krayin/laravel-crm (Composer) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database