Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,562 advisories

Loading
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens High
GHSA-349c-2h2f-mxf6 was published for laravel/passport (Composer) Apr 8, 2026
pushpak1300 Credited to pushpak1300
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting Moderate
CVE-2026-39390 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files Moderate
CVE-2026-39389 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) High
CVE-2026-39370 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs High
CVE-2026-39369 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services Moderate
CVE-2026-39368 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php Moderate
CVE-2026-39366 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state Low
GHSA-f9jp-856v-8642 was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
kostamax27 Credited to kostamax27 and dktapps dktapps dktapps
PocketMine-MP: Network amplification vulnerability with `ActorEventPacket` Moderate
GHSA-7hmv-4j2j-pp6f was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
dktapps Credited to dktapps
PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling High
GHSA-788v-5pfp-93ff was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
Zwuiix-cmd Credited to Zwuiix-cmd and dktapps dktapps dktapps
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket High
GHSA-h6rj-3m53-887h was published for pocketmine/pocketmine-mp (Composer) Apr 6, 2026
ArkadiaEU Credited to ArkadiaEU and dktapps dktapps dktapps
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31313 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module Moderate
CVE-2026-31354 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module Moderate
CVE-2026-31353 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31351 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module Moderate
CVE-2026-31352 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter Moderate
CVE-2026-31350 was published for feehi/cms (Composer) Apr 6, 2026
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS Critical
CVE-2026-35035 was published for ci4-cms-erp/ci4ms (Composer) Apr 6, 2026
bugmithlegend Credited to bugmithlegend
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php Moderate
CVE-2026-35452 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database