Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

384 advisories

Loading
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") Low
CVE-2026-45304 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering Low
CVE-2026-45072 was published for symfony/symfony (Composer) May 27, 2026
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true Low
CVE-2026-45071 was published for symfony/dom-crawler (Composer) May 27, 2026
Pterodactyl has a database resource limit bypass via race condition in Client API Low
CVE-2026-35202 was published for pterodactyl/panel (Composer) May 26, 2026
UDPSendToFailed Credited to UDPSendToFailed
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` Low
CVE-2026-46637 was published for twig/cssinliner-extra (Composer) May 21, 2026
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects) Low
CVE-2026-46635 was published for twig/twig (Composer) May 21, 2026
twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments Low
CVE-2026-46629 was published for twig/intl-extra (Composer) May 21, 2026
Twig: The `spaceless` filter implicitly marks its output as safe Low
CVE-2026-46628 was published for twig/twig (Composer) May 21, 2026
Sulu: Used API Keys may be available via Admin API Low
GHSA-9m6v-8fxc-4r44 was published for sulu/sulu (Composer) May 18, 2026
gangadhar-s-k Credited to gangadhar-s-k, mamazu, and alexander-schranz mamazu mamazu
alexander-schranz alexander-schranz
LibreNMS: Cross-Site Scripting in ShowConfigController Low
CVE-2026-2728 was published for librenms/librenms (Composer) May 18, 2026
YuriNek0 Credited to YuriNek0
Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy Low
GHSA-h4fw-6r7f-w494 was published for web-auth/webauthn-framework (Composer) May 7, 2026
offset Credited to offset
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation Low
CVE-2026-27964 was published for facturascripts/facturascripts (Composer) May 7, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
Grav has Insecure Deserialization in File Cache Low
CVE-2026-7317 was published for getgrav/grav (Composer) May 5, 2026
devsamuelsantiago Credited to devsamuelsantiago
Dolibarr has Insufficient Verification of Data Authenticity Low
CVE-2026-7689 was published for dolibarr/dolibarr (Composer) May 3, 2026
Dolibarr has an Injection issue Low
CVE-2026-7688 was published for dolibarr/dolibarr (Composer) May 3, 2026
ps_checkout allows unauthorized method invocation through unvalidated parameter Low
GHSA-mqq7-wxx5-mp8h was published for prestashop/ps_checkout (Composer) Apr 30, 2026
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send Low
CVE-2026-41663 was published for admidio/admidio (Composer) Apr 29, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment Low
CVE-2026-41659 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
Duplicate Advisory: Grav has Insecure Deserialization in File Cache Low
GHSA-j7rw-325j-2rmx was published for getgrav/grav (Composer) Apr 29, 2026 withdrawn
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
Bagisto affected by Cross-site Scripting Low
CVE-2026-6745 was published for bagisto/bagisto (Composer) Apr 21, 2026
Bagisto affected by Server-Side Request Forgery Low
CVE-2026-6744 was published for bagisto/bagisto (Composer) Apr 21, 2026
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database