GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,212 advisories
Filter by severity
FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`
Low
CVE-2026-45710
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export
High
CVE-2026-45263
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents
High
CVE-2026-45693
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`
Critical
CVE-2026-45262
was published
for
facturascripts/facturascripts
(Composer)
Jul 14, 2026
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
Moderate
CVE-2026-52828
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
Moderate
CVE-2026-52826
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
Moderate
CVE-2026-52825
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Critical
CVE-2026-52824
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
Moderate
CVE-2026-52823
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
Moderate
CVE-2026-52822
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
Moderate
CVE-2026-52821
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Moderate
CVE-2026-52820
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
Moderate
CVE-2026-52819
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Moderate
CVE-2026-49992
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
FacturaScripts: Account takeover of any 2FA-enabled user
Critical
CVE-2026-47677
was published
for
facturascripts/facturascripts
(Composer)
Jul 13, 2026
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
High
CVE-2026-55372
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
High
CVE-2026-54065
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
High
CVE-2026-54064
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
High
CVE-2026-49259
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Unauthenticated Reflected XSS in Comment Module
High
CVE-2026-48118
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Critical
CVE-2026-54159
was published
for
prestashop/ps_facetedsearch
(Composer)
Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
High
CVE-2026-45260
was published
for
pimcore/pimcore
(Composer)
May 27, 2026
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
High
CVE-2026-5394
was published
for
pimcore/pimcore
(Composer)
May 28, 2026
ProTip!
Advisories are also available from the
GraphQL API