Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

168 advisories

Loading
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check Moderate
CVE-2026-45009 was published for phpMyFAQ/phpMyFAQ (Composer) May 15, 2026
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API Moderate
CVE-2026-42070 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304, TristanInSec, and dregad TristanInSec TristanInSec
dregad dregad
Snipe-IT has Privilege Escalation via API Permissions Assignment High
CVE-2026-44832 was published for snipe/snipe-it (Composer) May 8, 2026
lorenzofradeani Credited to lorenzofradeani
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
GHSA-99qv-g4x9-mgc3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ Moderate
GHSA-jrc5-w569-h7h5 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
kitu232 Credited to kitu232
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check Moderate
GHSA-hpgw-ww76-c68r was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation Moderate
GHSA-9g2q-w3w2-vf7q was published for kimai/kimai (Composer) May 6, 2026
nullvector1 Credited to nullvector1
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass Moderate
CVE-2026-42610 was published for getgrav/grav (Composer) May 5, 2026
Samer666569 Credited to Samer666569
Grav API Privilege Escalation to Super Admin High
CVE-2026-42843 was published for getgrav/grav-plugin-api (Composer) May 5, 2026
n0tra4e Credited to n0tra4e
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API High
CVE-2026-42137 was published for getkirby/cms (Composer) Apr 30, 2026
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP High
CVE-2026-41660 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php Moderate
CVE-2026-41657 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection High
CVE-2026-41325 was published for getkirby/cms (Composer) Apr 24, 2026
offset Credited to offset
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter Moderate
CVE-2026-40099 was published for getkirby/cms (Composer) Apr 23, 2026
offset Credited to offset
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
Silverstripe Assets Module has a DBFile::getURL() permission bypass Moderate
CVE-2026-24749 was published for silverstripe/assets (Composer) Apr 16, 2026
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing Moderate
CVE-2026-41232 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() Moderate
CVE-2026-41233 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database