GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
31 advisories
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
Moderate
CVE-2026-44373
was published
for
nitro
(npm)
May 6, 2026
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
Low
GHSA-g3hp-vvqf-8vw6
was published
for
craftcms/cms
(Composer)
Mar 11, 2026
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
Low
CVE-2026-29177
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has stored XSS in Inventory Location Name
Moderate
CVE-2026-29176
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
High
CVE-2026-29175
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting
High
CVE-2026-29174
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Low
CVE-2026-29173
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting
High
CVE-2026-29172
was published
for
craftcms/commerce
(Composer)
Mar 10, 2026
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
Moderate
CVE-2026-28782
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Moderate
CVE-2026-28781
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Critical
CVE-2026-28697
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Low
GHSA-4mgv-366x-qxvx
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
Low
GHSA-6j87-m5qx-9fqp
was published
for
craftcms/cms
(Composer)
Feb 25, 2026
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Moderate
CVE-2026-27126
was published
for
craftcms/cms
(Composer)
Feb 23, 2026
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
Moderate
CVE-2026-25496
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
High
CVE-2026-25495
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
Moderate
CVE-2026-25494
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
Moderate
CVE-2026-25493
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft CMS Vulnerable to Stored XSS in Entry Types Name
Low
CVE-2026-25491
was published
for
craftcms/cms
(Composer)
Feb 9, 2026
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25522
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Moderate
CVE-2026-25490
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Moderate
CVE-2026-25489
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Moderate
CVE-2026-25488
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Moderate
CVE-2026-25487
was published
for
craftcms/commerce
(Composer)
Feb 2, 2026
ProTip!
Advisories are also available from the
GraphQL API