Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,595 advisories

Loading
Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override High
CVE-2026-42845 was published for getgrav/grav-plugin-form (Composer) May 6, 2026
fr0stydev Credited to fr0stydev
Flight vulnerable to sensitive information disclosure via default error handler High
CVE-2026-42552 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass High
CVE-2026-42551 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete High
CVE-2026-42550 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() High
CVE-2026-42548 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query High
GHSA-99qv-g4x9-mgc3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields High
GHSA-pm8c-3qq3-72w7 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
GHSA-9525-27vj-c8r8 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
phpseclib: guardrails needed on isPrime and randomPrime High
CVE-2024-27354 was published for phpseclib/phpseclib (Composer) May 6, 2026
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure High
CVE-2026-44012 was published for craftcms/cms (Composer) May 6, 2026
offset Credited to offset
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior High
CVE-2026-44011 was published for craftcms/cms (Composer) May 6, 2026
precicom-vincent-tl Credited to precicom-vincent-tl
Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure High
CVE-2026-44010 was published for craftcms/cms (Composer) May 6, 2026
joshuaalwin Credited to joshuaalwin
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization High
CVE-2026-43885 was published for wwbn/avideo (Composer) May 5, 2026
tronglinh23 Credited to tronglinh23
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component High
CVE-2026-42608 was published for getgrav/grav (Composer) May 5, 2026
sentinal404 Credited to sentinal404
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
Grav has Insecure Deserialization in File Cache High
GHSA-gwfr-jfjf-92vv was published for getgrav/grav (Composer) May 5, 2026
devsamuelsantiago Credited to devsamuelsantiago
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes High
CVE-2026-42612 was published for getgrav/grav (Composer) May 5, 2026
KC1zs4 Credited to KC1zs4
Grav API Privilege Escalation to Super Admin High
CVE-2026-42843 was published for getgrav/grav-plugin-api (Composer) May 5, 2026
n0tra4e Credited to n0tra4e
phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID() High
CVE-2026-44167 was published for phpseclib/phpseclib (Composer) May 5, 2026
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass High
CVE-2026-43874 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server High
CVE-2026-43873 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input High
GHSA-r7cg-qjjm-xhqq was published for webonyx/graphql-php (Composer) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database