GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,177 advisories
Filter by severity
Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Moderate
CVE-2026-53637
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Critical
CVE-2026-52778
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize
Critical
CVE-2026-52777
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Authenticated SQL Injection via ReactionManager
High
CVE-2026-52775
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
Moderate
CVE-2026-52774
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php`
Moderate
CVE-2026-52773
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
Moderate
CVE-2026-52772
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`)
High
CVE-2026-52771
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
High
CVE-2026-52770
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`
High
CVE-2026-52769
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)`
High
CVE-2026-52767
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action
Critical
CVE-2026-52766
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read
Moderate
CVE-2026-52763
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
High
CVE-2026-52762
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy
Moderate
CVE-2026-53769
was published
for
avo
(RubyGems)
Jul 9, 2026
laravel-backup-restore has an OS Command Injection during database restore
High
CVE-2026-53932
was published
for
wnx/laravel-backup-restore
(Composer)
Jul 9, 2026
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
Moderate
CVE-2026-53602
was published
for
github.com/forgekeep/nebula-mesh
(Go)
Jul 9, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests
Moderate
CVE-2026-53760
was published
for
admidio/admidio
(Composer)
Jul 9, 2026
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
High
GHSA-86vw-x4ww-x467
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Low
GHSA-c43v-4cr8-6mvp
was published
for
craftcms/cms
(Composer)
Jul 9, 2026
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`
High
CVE-2026-53727
was published
for
css_parser
(RubyGems)
Jul 9, 2026
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
High
CVE-2026-49485
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
(Maven)
Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate
CVE-2026-53720
was published
for
pymonocypher
(pip)
Jul 9, 2026
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
High
CVE-2026-50553
was published
for
github.com/enchant97/note-mark/backend
(Go)
Jul 9, 2026
ProTip!
Advisories are also available from the
GraphQL API