Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,618 advisories

Loading
Nodcms contains a cross-site request forgery vulnerability Moderate
CVE-2016-20054 was published for khodakhah/nodcms (Composer) Apr 4, 2026
Webkul Krayin CRM has Server-Side Request Forgery (SSRF) High
CVE-2026-38527 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php High
CVE-2026-38532 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php High
CVE-2026-38529 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php High
CVE-2026-38530 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution Critical
GHSA-w59f-67xm-rxx7 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) Critical
GHSA-gc9w-cc93-rjv8 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() High
GHSA-47hf-23pw-3m8c was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
GHSA-75h4-c557-j89r was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing Moderate
GHSA-vmjj-qr7v-pxm6 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() Moderate
GHSA-jvx4-xv3m-hrj4 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php Moderate
CVE-2026-39963 was published for s9y/serendipity (Composer) Apr 14, 2026
mabjr33 Credited to mabjr33
Composer has a command injection via malicious perforce repository High
CVE-2026-40176 was published for composer/composer (Composer) Apr 14, 2026
glaubinix Credited to glaubinix and Saku0512 Saku0512 Saku0512
Composer has a command injection via malicious perforce reference High
CVE-2026-40261 was published for composer/composer (Composer) Apr 14, 2026
kodareef5 Credited to kodareef5
graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation Moderate
CVE-2026-40476 was published for webonyx/graphql-php (Composer) Apr 14, 2026
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate Moderate
CVE-2026-40486 was published for kimai/kimai (Composer) Apr 15, 2026
udaypali Credited to udaypali
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
GHSA-95wr-3f2v-v2wh was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
GHSA-3m9m-24vh-39wx was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action Moderate
GHSA-jq2f-59pj-p3m3 was published for craftcms/cms (Composer) Apr 14, 2026
kaminuma Credited to kaminuma
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
GHSA-pq8p-wc4f-vg7j was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
GHSA-m7r8-6q9j-m2hc was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters Moderate
GHSA-m63r-m9jh-3vc6 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver Moderate
GHSA-8pv3-29pp-pf8f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database