Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,956
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,385
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,300 advisories

Loading
MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper Critical
CVE-2026-47708 was published for stata-mcp (pip) Jun 4, 2026
SepineTam Credited to SepineTam
AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle Moderate
CVE-2026-47703 was published for github.com/AdguardTeam/AdGuardHome (Go) Jun 4, 2026
N0zoM1z0 Credited to N0zoM1z0
Supply chain compromise via malicious @cap-js/openapi Critical
GHSA-jpvj-wpmj-h7rv was published for @cap-js/openapi (npm) Jun 4, 2026
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation Moderate
CVE-2026-48013 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Shopware: Stored XSS via SVG file upload — no SVG sanitization Moderate
CVE-2026-48015 was published for shopware/core (Composer) Jun 4, 2026
Keyvanhardani Credited to Keyvanhardani
Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment Moderate
CVE-2026-48016 was published for shopware/core (Composer) Jun 4, 2026
Shopware: Admin API ACL Bypass in Order State Transition Endpoints Moderate
CVE-2026-48014 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset
Shopware SSO referer trust leading to an arbitrary redirect target Moderate
CVE-2026-48012 was published for shopware/core (Composer) Jun 4, 2026
lalalala5678 Credited to lalalala5678
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts Moderate
CVE-2026-48010 was published for shopware/core (Composer) Jun 4, 2026
Keyvanhardani Credited to Keyvanhardani
Shopware: Admin Account Takeover via User Recovery Hash Exposure Moderate
CVE-2026-48009 was published for shopware/core (Composer) Jun 4, 2026
Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass Moderate
CVE-2026-48008 was published for shopware/core (Composer) Jun 4, 2026
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin Critical
GHSA-8whc-2wmv-ww35 was published for WWBN/AVideo (Composer) Jun 4, 2026
arkmarta Credited to arkmarta
WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section Moderate
CVE-2026-50183 was published for WWBN/AVideo (Composer) Jun 4, 2026
arkmarta Credited to arkmarta
WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination Moderate
CVE-2026-50182 was published for WWBN/AVideo (Composer) Jun 4, 2026
arkmarta Credited to arkmarta
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) High
CVE-2026-49279 was published for wwbn/avideo (Composer) Jun 4, 2026
oduoke567 Credited to oduoke567
WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint High
CVE-2026-47696 was published for WWBN/AVideo (Composer) Jun 4, 2026
proochicken Credited to proochicken
WWBN AVideo: Stored XSS via unescaped Gallery category description Moderate
CVE-2026-47694 was published for WWBN/AVideo (Composer) Jun 4, 2026
proochicken Credited to proochicken
Spree: CSV Formula Injection in Customer Export Moderate
GHSA-xf4v-w5x5-pv79 was published for spree (RubyGems) Jun 4, 2026
StarPlatinu Credited to StarPlatinu
OpenMeter: SQL injection through meter creation Moderate
CVE-2026-8462 was published for github.com/openmeterio/openmeter (Go) Jun 4, 2026
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths Moderate
CVE-2026-47676 was published for hono (npm) Jun 4, 2026
Rootingg Credited to Rootingg
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 Moderate
CVE-2026-47674 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection Moderate
CVE-2026-47675 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Hono: JWT middleware accepts any Authorization scheme, not only Bearer Moderate
CVE-2026-47673 was published for hono (npm) Jun 4, 2026
SQU4NCH Credited to SQU4NCH
epa4all-client: Unauthenticated REST API for Patient Record Writes Moderate
CVE-2026-47672 was published for com.oviva.telematik:epa4all-rest-service (Maven) Jun 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database