GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
601 advisories
YesWiki: Unauthenticated SQL Injection
Critical
CVE-2026-46670
was published
for
yeswiki/yeswiki
(Composer)
May 22, 2026
Formie: Pre-authenticated server-side template injection in Hidden fields
Critical
CVE-2026-45697
was published
for
verbb/formie
(Composer)
May 18, 2026
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Critical
CVE-2026-42155
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
Critical
CVE-2026-44262
was published
for
dedoc/scramble
(Composer)
May 6, 2026
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
Critical
CVE-2025-22871
was published
for
spiral/roadrunner
(Composer)
Apr 8, 2025
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
Critical
CVE-2026-42613
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
Critical
CVE-2026-42607
was published
for
getgrav/grav
(Composer)
May 5, 2026
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
TorrentPier Deserialization of Untrusted Data vulnerability
Critical
CVE-2024-40624
was published
for
torrentpier/torrentpier
(Composer)
Jul 15, 2024
LibreNMS has an Authenticated OS Command Injection
Critical
CVE-2024-51092
was published
for
librenms/librenms
(Composer)
Nov 15, 2024
torrentpier has PHP Serialize Injections
Critical
GHSA-h29g-c9cx-c73q
was published
for
torrentpier/torrentpier
(Composer)
May 11, 2026
Snipe-IT has insecure permissions in file uploads
Critical
CVE-2026-37709
was published
for
snipe/snipe-it
(Composer)
May 8, 2026
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41202
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41203
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
Critical
CVE-2026-34084
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 29, 2026
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Critical
CVE-2026-23500
was published
for
dolibarr/dolibarr
(Composer)
Apr 17, 2026
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
Critical
GHSA-289f-fq7w-6q2w
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id
Critical
GHSA-9pq7-mfwh-xx2j
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass
Critical
GHSA-vj3m-2g9h-vm4p
was published
for
getgrav/grav
(Composer)
May 5, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
Critical
CVE-2026-35035
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 6, 2026
ProTip!
Advisories are also available from the
GraphQL API