Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

5,067 advisories

Loading
Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover High
CVE-2025-66296 was published for getgrav/grav (Composer) Dec 2, 2025
NicatAliyevh
Credited to NicatAliyevh
Snipe-IT allows stored XSS via the Locations "Country" field Moderate
CVE-2025-65622 was published for snipe/snipe-it (Composer) Dec 2, 2025
Snipe-IT is vulnerable to stored cross-site scripting Moderate
CVE-2025-65621 was published for snipe/snipe-it (Composer) Dec 1, 2025
FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function Moderate
CVE-2025-63520 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS fails to enforce server-side immutability Moderate
CVE-2025-63523 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS is vulnerable to reverse tabnabbing Moderate
CVE-2025-63522 was published for feehi/feehicms (Composer) Dec 1, 2025
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types] Moderate
CVE-2025-66026 was published for redaxo/source (Composer) Nov 25, 2025
tehofu
Credited to tehofu
Contao is vulnerable to cross-site scripting in templates Low
CVE-2025-65961 was published for contao/core-bundle (Composer) Nov 25, 2025
ausi m-vo
Credited to ausi and m-vo
Contao is vulnerable to remote code execution in template closures Moderate
CVE-2025-65960 was published for contao/core-bundle (Composer) Nov 25, 2025
ausi m-vo
Credited to ausi and m-vo
REDAXO CMS is vulnerable to RCE attack through its template management component High
CVE-2025-64050 was published for redaxo/source (Composer) Nov 25, 2025
REDAXO CMS is vulnerable to XSS through its module management component Moderate
CVE-2025-64049 was published for redaxo/source (Composer) Nov 25, 2025
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags Moderate
CVE-2025-65956 was published for getformwork/formwork (Composer) Nov 24, 2025
3m4n5
Credited to 3m4n5
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow Moderate
CVE-2025-64027 was published for snipe/snipe-it (Composer) Nov 20, 2025
phppgadmin contains a SQL injection vulnerability Moderate
CVE-2025-60798 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
phppgadmin contains an incorrect access control vulnerability Moderate
CVE-2025-60799 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
phppgadmin vulnerable to Cross-site Scripting Low
CVE-2025-60796 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
phppgadmin contains a SQL injection vulnerability Moderate
CVE-2025-60797 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter High
CVE-2025-65103 was published for devcode-it/openstamanager (Composer) Nov 19, 2025
XY20130630
Credited to XY20130630
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory Moderate
CVE-2025-12119 was published for mongodb/mongodb-extension (Composer) Nov 19, 2025
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint Moderate
CVE-2025-65093 was published for librenms/librenms (Composer) Nov 18, 2025
marcelomulder
Credited to marcelomulder
Backdrop CMS Host Header Injection vulnerability Moderate
CVE-2025-63828 was published for backdrop/backdrop (Composer) Nov 18, 2025
Drupal core allows Forceful Browsing Low
CVE-2025-13080 was published for drupal/core (Composer) Nov 18, 2025
Drupal core allows Object Injection Moderate
CVE-2025-13081 was published for drupal/core (Composer) Nov 18, 2025
Drupal core allows Content Spoofing Low
CVE-2025-13082 was published for drupal/core (Composer) Nov 18, 2025
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels Low
CVE-2025-13083 was published for drupal/core (Composer) Nov 18, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database