Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,796
Maven
5,000+
npm
4,410
NuGet
772
pip
4,181
Pub
12
RubyGems
965
Rust
1,078
Swift
45
Unreviewed advisories
All unreviewed
5,000+

5,116 advisories

Loading
CoreShop Vulnerable to SQL Injection via Admin Reports Moderate
GHSA-ch7p-mpv4-4vg4 was published for coreshop/core-shop (Composer) Jan 7, 2026
PlyNatwara bypazs
Credited to PlyNatwara and bypazs
Pterodactyl TOTPs can be reused during validity window Moderate
CVE-2025-69197 was published for pterodactyl/panel (Composer) Jan 6, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read High
CVE-2026-21857 was published for redaxo/source (Composer) Jan 5, 2026
lukasz-rybak
Credited to lukasz-rybak
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2025-68455 was published for craftcms/cms (Composer) Jan 5, 2026
chutchut
Credited to chutchut
Unauthenticated Craft CMS users can trigger a database backup High
CVE-2025-68456 was published for craftcms/cms (Composer) Jan 5, 2026
h4x0r-dz
Credited to h4x0r-dz
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2025-68454 was published for craftcms/cms (Composer) Jan 5, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation Moderate
CVE-2025-68437 was published for craftcms/cms (Composer) Jan 5, 2026
mHe4am
Credited to mHe4am
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation Moderate
CVE-2025-68436 was published for craftcms/cms (Composer) Jan 5, 2026
z3rco
Credited to z3rco
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak
Credited to DenizParlak
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has HTML Filter Bypass that Enables Stored XSS Moderate
CVE-2026-21451 was published for bagisto/bagisto (Composer) Jan 2, 2026
cybercrew-analyst
Credited to cybercrew-analyst
Bagisto Missing Authentication on Installer API Endpoints High
CVE-2026-21446 was published for bagisto/bagisto (Composer) Jan 2, 2026
mhzcyber
Credited to mhzcyber
libsodium has Incomplete List of Disallowed Inputs Moderate
CVE-2025-69277 was published for PyNaCl (Composer) Dec 31, 2025
FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload High
CVE-2025-69210 was published for facturascripts/facturascripts (Composer) Dec 30, 2025
vettrivel007
Credited to vettrivel007
YOURLS is vulnerable to XSS through JSONP and Callback request parameters High
GHSA-6mp4-q625-mxjp was published for yourls/yourls (Composer) Dec 30, 2025
DenizParlak
Credited to DenizParlak
Composer is vulnerable to ANSI sequence injection Low
CVE-2025-67746 was published for composer/composer (Composer) Dec 30, 2025
cs278
Credited to cs278
phpMyFAQ has unauthenticated config backup download via /api/setup/backup High
CVE-2025-69200 was published for thorsten/phpmyfaq (Composer) Dec 30, 2025
eclipse07077-ljw
Credited to eclipse07077-ljw
Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host” Low
GHSA-mgr9-6c2j-jxrq was published for pterodactyl/panel (Composer) Dec 30, 2025
4rdr
Credited to 4rdr
phpMyFAQ has Stored XSS in user list via admin-managed display_name Moderate
CVE-2025-68951 was published for thorsten/phpmyfaq (Composer) Dec 29, 2025
eclipse07077-ljw
Credited to eclipse07077-ljw
Croogo CMS has a path traversal vulnerability High
CVE-2024-42718 was published for croogo/croogo (Composer) Dec 26, 2025
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
LibreNMS Alert Rule API Cross-Site Scripting Vulnerability Moderate
CVE-2025-68614 was published for librenms/librenms (Composer) Dec 23, 2025
zdi-disclosures
Credited to zdi-disclosures
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database