Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

13,623 advisories

Loading
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay Moderate
CVE-2026-45074 was published for symfony/security-http (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix Moderate
CVE-2026-45073 was published for symfony/cache (Composer) May 27, 2026
FORIMOC Credited to FORIMOC and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names Moderate
CVE-2026-45070 was published for symfony/mime (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address Moderate
CVE-2026-45068 was published for symfony/mailer (Composer) May 27, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing Moderate
CVE-2026-45064 was published for symfony/html-sanitizer (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and unknownhad unknownhad unknownhad
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression Moderate
CVE-2026-44981 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
davide-s-rosa Credited to davide-s-rosa
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions Moderate
CVE-2026-45334 was published for getkirby/cms (Composer) May 27, 2026
matte1782 Credited to matte1782
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection Moderate
CVE-2026-45065 was published for symfony/routing (Composer) May 27, 2026
@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects Moderate
CVE-2026-44979 was published for @hapi/wreck (npm) May 27, 2026
gasbugs Credited to gasbugs
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` Moderate
CVE-2026-44646 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body Moderate
CVE-2026-44645 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS Moderate
CVE-2026-44644 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Yamcs has No Rate Limiting on Authentication Endpoint Moderate
CVE-2026-44596 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
ex-cal1bur Credited to ex-cal1bur
Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints Moderate
CVE-2026-44595 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
ex-cal1bur Credited to ex-cal1bur
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations Moderate
CVE-2026-44210 was published for github.com/kata-containers/kata-containers (Go) May 26, 2026
K-Rintaro Credited to K-Rintaro and fidencio fidencio fidencio
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts Moderate
CVE-2026-44176 was published for getkirby/cms (Composer) May 26, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Yamcs Vulnerable to LDAP Injection in LdapAuthModule Moderate
CVE-2026-42568 was published for org.yamcs:yamcs-core (Maven) May 26, 2026
ex-cal1bur Credited to ex-cal1bur
netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures Moderate
CVE-2026-41207 was published for io.netty.incubator:netty-incubator-codec-ohttp (Maven) May 26, 2026
XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin Moderate
CVE-2026-48047 was published for org.xwiki.platform:xwiki-platform-webjars-api (Maven) May 26, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database