Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,096 advisories

Loading
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete High
CVE-2026-42550 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root Moderate
CVE-2026-42549 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() High
CVE-2026-42548 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Granian vulnerable to DoS via WSGI response header panic Moderate
CVE-2026-42545 was published for granian (pip) May 6, 2026
Z-Bra0 Credited to Z-Bra0
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic High
CVE-2026-42544 was published for granian (pip) May 6, 2026
Z-Bra0 Credited to Z-Bra0
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
Hugo's Node tool execution allows file system access outside the project directory Moderate
CVE-2026-44301 was published for github.com/gohugoio/hugo (Go) May 6, 2026
jmooring Credited to jmooring, bacu79, and Gokul965 bacu79 bacu79
Gokul965 Gokul965
Magento LTS: Reflected XSS - Import -> Data Flow (profiles) Moderate
CVE-2026-42458 was published for openmage/magento-lts (Composer) May 6, 2026
justlife4x4 Credited to justlife4x4
Statamic CMS vulnerable to email enumeration via forgot password endpoint Moderate
CVE-2026-44306 was published for statamic/cms (Composer) May 6, 2026
emran-alhaddad Credited to emran-alhaddad
Snappier has an infinite loop during SnappyStream decompression with malformed framed input High
CVE-2026-44302 was published for Snappier (NuGet) May 6, 2026
pawlos Credited to pawlos
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-289f-fq7w-6q2w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins Moderate
GHSA-gh9p-q46p-57g2 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
GHSA-99qv-g4x9-mgc3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
GHSA-pm8c-3qq3-72w7 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-9pq7-mfwh-xx2j was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ Moderate
GHSA-jrc5-w569-h7h5 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
kitu232 Credited to kitu232
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering Moderate
GHSA-pqh6-8fxf-jx22 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
Doodi101 Credited to Doodi101
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User Moderate
GHSA-rm98-82fr-mcfx was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
GHSA-whqh-9pq5-c7r3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
GHSA-f5p7-2c9q-8896 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS High
CVE-2025-71261 was published for github.com/harvester/harvester (Go) May 6, 2026
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags Moderate
GHSA-7cx3-2qx2-3g6w was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check Moderate
GHSA-hpgw-ww76-c68r was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
GHSA-9525-27vj-c8r8 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database