Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

121 advisories

Loading
Moodle affected by a code injection vulnerability High
CVE-2025-67847 was published for moodle/moodle (Composer) Jan 23, 2026
asrar-mared Seldaek
Credited to asrar-mared and Seldaek
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2026-23498 was published for shopware/core (Composer) Jan 14, 2026
lukasz-rybak andreisss
Credited to lukasz-rybak and andreisss
Shopware Has Improper Control of Generation of Code in Twig rendered views High
CVE-2023-2017 was published for shopware/core (Composer) Apr 18, 2023
Creastery
Credited to Creastery
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer
Credited to siewer
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass High
CVE-2025-66294 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek
Credited to nakkouchtarek
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection) High
CVE-2025-66299 was published for getgrav/grav (Composer) Dec 2, 2025
justwove
Credited to justwove
REDAXO CMS is vulnerable to RCE attack through its template management component High
CVE-2025-64050 was published for redaxo/source (Composer) Nov 25, 2025
Smarty vulnerable to PHP Code Injection by malicious attribute in extends-tag High
CVE-2024-35226 was published for smarty/smarty (Composer) May 29, 2024
TrixterTheTux
Credited to TrixterTheTux
Craft CMS has a potential RCE with a compromised security key High
CVE-2025-23209 was published for craftcms/cms (Composer) Jan 21, 2025
Dolibarr vulnerable to RCE via the computed field parameter High
CVE-2025-56588 was published for dolibarr/dolibarr (Composer) Oct 1, 2025
TYPO3 Install Tool vulnerable to Code Execution High
CVE-2024-22188 was published for typo3/cms-core (Composer) Feb 13, 2024
bnf
Credited to bnf
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI High
CVE-2024-52293 was published for craftcms/cms (Composer) Nov 13, 2024
rewhile
Credited to rewhile
Bolt CMS vulnerable to authenticated remote code execution High
CVE-2025-34086 was published for bolt/bolt (Composer) Jul 3, 2025
Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository High
CVE-2025-3642 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository High
CVE-2025-3641 was published for moodle/moodle (Composer) Apr 25, 2025
TYPO3 powermail extension has unrestricted file upload vulnerability High
CVE-2014-3947 was published for in2code/powermail (Composer) May 17, 2022
TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code High
CVE-2014-3942 was published for typo3/cms (Composer) May 14, 2022
TYPO3 vulnerable to remote authenticated arbitrary code execution High
CVE-2013-4321 was published for typo3/cms (Composer) May 17, 2022
Pimcore Vulnerable to PHP Object Injection Attacks High
CVE-2014-2921 was published for pimcore/pimcore (Composer) May 17, 2022
ImpressPages CMS eval injection vulnerability High
CVE-2011-4932 was published for impresspages/impresspages (Composer) May 17, 2022
Webkit PDFs for TYPO3 allows remote attackers to execute arbitrary commands High
CVE-2010-4962 was published for dmk/webkitpdf (Composer) May 17, 2022
EGroupware Code Injection vulnerability High
CVE-2010-3313 was published for egroupware/egroupware (Composer) May 17, 2022
TYPO3 PHP remote file inclusion vulnerability High
CVE-2010-1153 was published for typo3/cms (Composer) May 2, 2022
Command injection in yiisoft/yii2-gii High
CVE-2020-36655 was published for yiisoft/yii2-gii (Composer) Jan 21, 2023
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter High
CVE-2023-30130 was published for craftcms/cms (Composer) May 12, 2023
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database