GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,074 advisories
Shopware Storefront Reflected XSS in Storefront Login Page
High
GHSA-6w82-v552-wjw2
was published
for
shopware/shopware
(Composer)
Dec 9, 2025
SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475
Critical
GHSA-5j8p-438x-rgg5
was published
for
onelogin/php-saml
(Composer)
Dec 9, 2025
Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)
Critical
CVE-2025-67510
was published
for
neuron-core/neuron-ai
(Composer)
Dec 9, 2025
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE)
High
CVE-2025-67509
was published
for
neuron-core/neuron-ai
(Composer)
Dec 9, 2025
Filament multi-factor authentication (app) recovery codes can be used multiple times
High
CVE-2025-67507
was published
for
filament/filament
(Composer)
Dec 9, 2025
robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation
Moderate
CVE-2025-66578
was published
for
robrichards/xmlseclibs
(Composer)
Dec 8, 2025
GrapesJsBuilder File Upload allows all file uploads
High
CVE-2025-13827
was published
for
mautic/grapes-js-builder-bundle
(Composer)
Dec 2, 2025
Mautic user without privileged access to the Marketplace can install and uninstall composer packages
Critical
CVE-2025-13828
was published
for
mautic/core
(Composer)
Dec 2, 2025
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
High
CVE-2025-66298
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
High
CVE-2025-66294
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
Moderate
CVE-2025-66310
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
Moderate
CVE-2025-66309
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
High
CVE-2025-66297
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
Moderate
CVE-2025-66308
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
High
CVE-2025-66295
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
High
CVE-2025-66305
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
Moderate
CVE-2025-66306
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav vulnerable to Path Traversal allowing server files backup
Moderate
CVE-2025-66302
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
Moderate
CVE-2025-66307
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
Moderate
CVE-2025-66312
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
ProTip!
Advisories are also available from the
GraphQL API