Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,670
Maven
5,000+
npm
5,000+
NuGet
931
pip
4,885
Pub
13
RubyGems
1,050
Rust
1,314
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,793 advisories

Loading
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component High
CVE-2026-42608 was published for getgrav/grav (Composer) May 5, 2026
sentinal404 Credited to sentinal404
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
Grav has Insecure Deserialization in File Cache High
GHSA-gwfr-jfjf-92vv was published for getgrav/grav (Composer) May 5, 2026
devsamuelsantiago Credited to devsamuelsantiago
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes High
CVE-2026-42612 was published for getgrav/grav (Composer) May 5, 2026
KC1zs4 Credited to KC1zs4
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass Moderate
CVE-2026-42610 was published for getgrav/grav (Composer) May 5, 2026
Samer666569 Credited to Samer666569
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access Critical
CVE-2026-42613 was published for getgrav/grav (Composer) May 5, 2026
Baikuya Credited to Baikuya
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel Moderate
CVE-2026-42842 was published for getgrav/grav (Composer) May 5, 2026
cyabell Credited to cyabell
Grav CMS vulnerable to stored XSS via Markdown media attribute() action Moderate
CVE-2026-42841 was published for getgrav/grav (Composer) May 5, 2026
K-Czaplicki Credited to K-Czaplicki and morzelowski morzelowski morzelowski
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature Critical
CVE-2026-42607 was published for getgrav/grav (Composer) May 5, 2026
akgul7990 Credited to akgul7990
Grav API Privilege Escalation to Super Admin High
CVE-2026-42843 was published for getgrav/grav-plugin-api (Composer) May 5, 2026
n0tra4e Credited to n0tra4e
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data High
CVE-2026-42315 was published for pyload-ng (pip) May 5, 2026
Sab44 Credited to Sab44
phpseclib has a CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID() High
CVE-2026-44167 was published for phpseclib/phpseclib (Composer) May 5, 2026
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade Moderate
CVE-2026-44166 was published for github.com/pocketbase/pocketbase (Go) May 5, 2026
Alardiians Credited to Alardiians
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS Moderate
GHSA-7xp7-m392-h92c was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled High
GHSA-9fw6-xgg2-mq9q was published for github.com/apernet/hysteria/core/v2 (Go) May 5, 2026
Cherrling Credited to Cherrling
PyLoad Vulnerable to Path Traversal via Package Folder Name Moderate
CVE-2026-42314 was published for pyload-ng (pip) May 5, 2026
l3tchupkt Credited to l3tchupkt
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains High
CVE-2026-42304 was published for Twisted (pip) May 5, 2026
tomasilluminati Credited to tomasilluminati
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection Moderate
CVE-2026-42303 was published for ethyca-fides (pip) May 5, 2026
RobertKeyser Credited to RobertKeyser and daveqnet daveqnet daveqnet
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header Critical
CVE-2026-42300 was published for github.com/l3montree-dev/devguard (Go) May 5, 2026
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference) High
CVE-2026-42285 was published for github.com/osrg/gobgp/v4 (Go) May 5, 2026
bacon251 Credited to bacon251
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database