Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

74 advisories

Loading
Snappy: Binary path is never shell-escaped due to an inverted is_executable check High
CVE-2026-46643 was published for KnpLabs/knp-snappy (Composer) May 21, 2026
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions High
CVE-2026-31019 was published for dolibarr/dolibarr (Composer) Apr 21, 2026
elFinder: Command injection in resize background color parameter when using ImageMagick CLI High
CVE-2026-41247 was published for studio-42/elfinder (Composer) Apr 17, 2026
mcdruid Credited to mcdruid
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
WWBN AVideo: RCE cause by clonesite plugin High
CVE-2026-41304 was published for wwbn/avideo (Composer) Apr 16, 2026
Rangar0k Credited to Rangar0k
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
CVE-2026-41064 was published for wwbn/avideo (Composer) Apr 14, 2026
Composer has a command injection via malicious perforce repository High
CVE-2026-40176 was published for composer/composer (Composer) Apr 14, 2026
glaubinix Credited to glaubinix and Saku0512 Saku0512 Saku0512
Composer has a command injection via malicious perforce reference High
CVE-2026-40261 was published for composer/composer (Composer) Apr 14, 2026
kodareef5 Credited to kodareef5
Duplicate Advisory: LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write High
GHSA-7549-ggpq-22w8 was published for librenms/librenms (Composer) Apr 13, 2026 withdrawn
baserCMS has OS command injection vulnerability in installer Critical
CVE-2026-30880 was published for baserproject/basercms (Composer) Mar 31, 2026
baserCMS Update Functionality Vulnerable to OS Command Injection Critical
CVE-2026-30877 was published for baserproject/basercms (Composer) Mar 31, 2026
EricUeda Credited to EricUeda
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE) Critical
CVE-2026-21861 was published for baserproject/basercms (Composer) Mar 31, 2026
kaminuma Credited to kaminuma
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write High
CVE-2026-6204 was published for librenms/librenms (Composer) Mar 26, 2026
YuriNek0 Credited to YuriNek0
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path High
CVE-2026-33648 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() High
CVE-2026-33482 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
CVE-2026-33319 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php Critical
CVE-2026-29058 was published for wwbn/avideo (Composer) Mar 3, 2026
arkmarta Credited to arkmarta
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection Critical
CVE-2026-26279 was published for froxlor/froxlor (Composer) Mar 3, 2026
Moonster8282 Credited to Moonster8282
Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal High
CVE-2026-28507 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
OpenSTAManager has an OS Command Injection in P7M File Processing Critical
CVE-2025-69212 was published for devcode-it/openstamanager (Composer) Feb 6, 2026
lukasz-rybak Credited to lukasz-rybak
RaspAP raspap-webgui contains an OS Command Injection vulnerability High
CVE-2026-24788 was published for billz/raspap-webgui (Composer) Feb 2, 2026
phpPgAdmin contains a remote command execution vulnerability High
CVE-2021-47853 was published for phppgadmin/phppgadmin (Composer) Jan 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database