Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

2,957 advisories

Loading
Magento's X-Original-Url header can expose admin url Moderate
CVE-2026-25523 was published for openmage/magento-lts (Composer) Feb 2, 2026
anees0xdev
Credited to anees0xdev
Statamic CMS's missing authorization allows access to assets Moderate
CVE-2026-25633 was published for statamic/cms (Composer) Feb 11, 2026
Neosprings
Credited to Neosprings
Phraseanet vulnerable to stored cross-site scripting through crafted file names Moderate
CVE-2018-25157 was published for phraseanet/phraseanet (Composer) Feb 11, 2026
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions Moderate
CVE-2019-25317 was published for kimai/kimai (Composer) Feb 11, 2026
CI4MS Vulnerable to User Email Enumeration via Password Reset Flow Moderate
CVE-2026-25509 was published for ci4-cms-erp/ci4ms (Composer) Feb 2, 2026
Far-Horizons
Credited to Far-Horizons
amphp/http-server affected by HTTP/2 DDoS vulnerability Moderate
GHSA-8grv-jq2g-cfhw was published for amphp/http-server (Composer) Feb 10, 2026
galbarnahum
Credited to galbarnahum
FroshAdminer Adminer UI is accessible without admin session Moderate
CVE-2026-25878 was published for frosh/adminer-platform (Composer) Feb 10, 2026
xndrdev Gugiman
Credited to xndrdev and Gugiman
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields Moderate
CVE-2026-25496 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect Moderate
CVE-2026-25493 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host Moderate
CVE-2026-25492 was published for craftcms/craft (Composer) Feb 9, 2026
LeftenantZero
Credited to LeftenantZero
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation Moderate
CVE-2026-25494 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
PrestaShop affected by time based enumeration in FO login form Moderate
CVE-2026-25597 was published for prestashop/prestashop (Composer) Feb 3, 2026
MineAdmin May Expose Sensitive Information to an Unauthorized Actor Moderate
CVE-2026-1194 was published for mineadmin/mineadmin (Composer) Jan 20, 2026
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25522 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation Moderate
CVE-2026-25490 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation Moderate
CVE-2026-25489 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25488 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation Moderate
CVE-2026-25487 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation Moderate
CVE-2026-25486 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation Moderate
CVE-2026-25485 was published for craftcms/composer (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS in Product Type Name Moderate
CVE-2026-25484 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration Moderate
CVE-2026-25483 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget) Moderate
CVE-2026-25482 was published for craftcms/commerce (Composer) Feb 2, 2026
mHe4am
Credited to mHe4am
Moodle vulnerable to Cross-site Scripting Moderate
CVE-2025-67855 was published for moodle/moodle (Composer) Feb 3, 2026
Moodle Inserts Sensitive Information Into Sent Data Moderate
CVE-2025-67857 was published for moodle/moodle (Composer) Feb 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database