Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

5,943 advisories

Loading
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) Low
CVE-2026-45753 was published for symfony/html-sanitizer (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
Pimcore has a CustomReports Share Bypass High
CVE-2026-45704 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export Moderate
CVE-2026-45703 was published for pimcore/pimcore (Composer) May 27, 2026
HuajiHD Credited to HuajiHD
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") Low
CVE-2026-45304 was published for symfony/symfony (Composer) May 27, 2026
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint High
CVE-2026-45332 was published for automad/automad (Composer) May 27, 2026
lorenzocamilli Credited to lorenzocamilli
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] Moderate
CVE-2026-45075 was published for symfony/http-kernel (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay Moderate
CVE-2026-45074 was published for symfony/security-http (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix Moderate
CVE-2026-45073 was published for symfony/cache (Composer) May 27, 2026
FORIMOC Credited to FORIMOC and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering Low
CVE-2026-45072 was published for symfony/symfony (Composer) May 27, 2026
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true Low
CVE-2026-45071 was published for symfony/dom-crawler (Composer) May 27, 2026
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names Moderate
CVE-2026-45070 was published for symfony/mime (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims Moderate
CVE-2026-45069 was published for symfony/security-http (Composer) May 27, 2026
Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address Moderate
CVE-2026-45068 was published for symfony/mailer (Composer) May 27, 2026
Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address High
CVE-2026-45067 was published for symfony/mime (Composer) May 27, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing Moderate
CVE-2026-45064 was published for symfony/html-sanitizer (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and unknownhad unknownhad unknownhad
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend High
CVE-2026-45368 was published for getkirby/cms (Composer) May 27, 2026
offset Credited to offset
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions Moderate
CVE-2026-45334 was published for getkirby/cms (Composer) May 27, 2026
matte1782 Credited to matte1782
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling High
CVE-2026-45260 was published for pimcore/pimcore (Composer) May 27, 2026
larlarua Credited to larlarua
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1
Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection Moderate
CVE-2026-45065 was published for symfony/routing (Composer) May 27, 2026
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator High
CVE-2026-45063 was published for symfony/security-http (Composer) May 27, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database