Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
3,990
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,390
Swift
56
Unreviewed advisories
All unreviewed
5,000+

5,959 advisories

Loading
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields Moderate
CVE-2026-48067 was published for filament/actions (Composer) Jun 11, 2026
baradika Credited to baradika and danharrin danharrin danharrin
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator Moderate
CVE-2026-53723 was published for guzzlehttp/guzzle-services (Composer) Jun 11, 2026
GrahamCampbell Credited to GrahamCampbell
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation Moderate
CVE-2026-48998 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
guzzlehttp/psr7 has CRLF Injection via URI Host Component Moderate
CVE-2026-49214 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter Critical
CVE-2026-48030 was published for pheditor/pheditor (Composer) Jun 9, 2026
muslimbek-0x Credited to muslimbek-0x
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch Moderate
CVE-2026-47767 was published for symfony/runtime (Composer) Jun 9, 2026
nicolas-grekas Credited to nicolas-grekas and 0xEr3n 0xEr3n 0xEr3n
Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications Moderate
CVE-2026-47693 was published for poweradmin/poweradmin (Composer) Jun 8, 2026
tienneR Credited to tienneR
PHPSpreadsheet has a patch bypass for CVE-2026-34084 Critical
CVE-2026-45034 was published for phpoffice/phpspreadsheet (Composer) Jun 8, 2026
everping Credited to everping
Twig: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points High
CVE-2026-47732 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot
Twig: XSS in profiler HtmlDumper via unescaped template and profile names Low
CVE-2026-47730 was published for twig/twig (Composer) Jun 5, 2026
nicolas-grekas Credited to nicolas-grekas
Twig: Possible sandbox bypass when using a source policy High
CVE-2026-24425 was published for twig/twig (Composer) Jun 5, 2026
fabpot Credited to fabpot, wsparks-vc, XavLimSG, and Vincent550102 wsparks-vc wsparks-vc
XavLimSG XavLimSG Vincent550102 Vincent550102
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Multiple data integrity and disclosure issues in admin Livewire components High
CVE-2026-47743 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables Moderate
CVE-2026-47745 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
Shopper: Missing authorization on Product admin Livewire sub-form components Moderate
CVE-2026-47742 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection High
CVE-2026-47761 was published for TinyMCE (Composer) Jun 5, 2026
UncleJ4ck Credited to UncleJ4ck and ange-primiterra ange-primiterra ange-primiterra
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments High
CVE-2026-47762 was published for TinyMCE (Composer) Jun 5, 2026
he1d3n Credited to he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes High
CVE-2026-47759 was published for TinyMCE (Composer) Jun 5, 2026
mtrill47 Credited to mtrill47 and he1d3n he1d3n he1d3n
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs High
CVE-2026-47760 was published for TinyMCE (Composer) Jun 5, 2026
maple3142 Credited to maple3142
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation Moderate
CVE-2026-48013 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Shopware: Stored XSS via SVG file upload — no SVG sanitization Moderate
CVE-2026-48015 was published for shopware/core (Composer) Jun 4, 2026
Keyvanhardani Credited to Keyvanhardani
Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment Moderate
CVE-2026-48016 was published for shopware/core (Composer) Jun 4, 2026
Shopware: Admin API ACL Bypass in Order State Transition Endpoints Moderate
CVE-2026-48014 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset
Shopware SSO referer trust leading to an arbitrary redirect target Moderate
CVE-2026-48012 was published for shopware/core (Composer) Jun 4, 2026
lalalala5678 Credited to lalalala5678
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database