GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
5,986 advisories
Filament: Disabled RichEditor field state can be used for XSS
High
CVE-2026-55409
was published
for
filament/forms
(Composer)
Jun 17, 2026
Laravel Framework: Temporary Signed URL Path Confusion
Moderate
GHSA-crmm-hgp2-wgrp
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Laravel Framework: CRLF injection in default email rule
High
GHSA-5vg9-5847-vvmq
was published
for
laravel/framework
(Composer)
Jun 17, 2026
October Rain has Stored XSS via SVG Filter Bypass
Moderate
CVE-2026-25133
was published
for
october/rain
(Composer)
Apr 14, 2026
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Moderate
CVE-2026-25125
was published
for
october/rain
(Composer)
Apr 14, 2026
phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Moderate
GHSA-m557-wrgg-6rp4
was published
for
phpseclib/phpseclib
(Composer)
Jun 16, 2026
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Moderate
CVE-2026-48784
was published
for
symfony/routing
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Moderate
CVE-2026-48760
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Moderate
CVE-2026-48747
was published
for
symfony/mailomat-mailer
(Composer)
Jun 15, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
High
CVE-2026-48489
was published
for
symfony/security-http
(Composer)
Jun 15, 2026
Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
Moderate
CVE-2026-48761
was published
for
symfony/html-sanitizer
(Composer)
Jun 15, 2026
Admidio PKCS#12 private key export action lacks CSRF protection
Moderate
CVE-2026-47232
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio writes session IDs and auto-login cookie values to application logs
Moderate
CVE-2026-47234
was published
for
admidio/admidio
(Composer)
May 29, 2026
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs
High
CVE-2026-47260
was published
for
phanan/koel
(Composer)
May 29, 2026
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service
Moderate
CVE-2026-45802
was published
for
setasign/fpdi
(Composer)
May 19, 2026
ProTip!
Advisories are also available from the
GraphQL API