Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

338 advisories

Loading
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE) Critical
GHSA-qxvg-h7q2-hcxh was published for motioneye (pip) Jun 23, 2026
C4spr0x1A Credited to C4spr0x1A and MichaIng MichaIng MichaIng
Paymenter vulnerable to Remote Code Execution via public file uploads Critical
CVE-2025-58048 was published for paymenter/paymenter (Composer) Jun 22, 2026
enigmaticious Credited to enigmaticious and CorwinDev CorwinDev CorwinDev
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist Low
CVE-2026-55778 was published for parse-server (npm) Jun 19, 2026
mtrezza Credited to mtrezza
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist Low
CVE-2026-53724 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
DotVVM: Unrestricted file upload Moderate
GHSA-2rm3-333w-xvc4 was published for DotVVM (NuGet) Jun 19, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Budibase: Unrestricted Upload of File with Dangerous Type High
CVE-2026-46426 was published for budibase (npm) May 19, 2026
da7om85 Credited to da7om85
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Strapi Upload Plugin MIME Validation Bypass via Content API Moderate
CVE-2026-22707 was published for @strapi/upload (npm) May 14, 2026
kaminuma Credited to kaminuma and arkmarta arkmarta arkmarta
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option High
CVE-2026-45089 was published for github.com/hahwul/dalfox/v2 (Go) May 12, 2026
drmingler Credited to drmingler
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal High
CVE-2026-44566 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images Moderate
CVE-2026-42879 was published for facturascripts/facturascripts (Composer) May 7, 2026
guzrex Credited to guzrex
FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism High
CVE-2026-27891 was published for facturascripts/facturascripts (Composer) May 7, 2026
ZeroXJacks Credited to ZeroXJacks
Low-privileged Grav API users can create super-admin accounts via blueprint-upload High
CVE-2026-42844 was published for getgrav/grav (Composer) May 6, 2026
0d000721999 Credited to 0d000721999
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality High
CVE-2026-38751 was published for devcode-it/openstamanager (Composer) May 4, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution High
CVE-2026-41587 was published for ci4-cms-erp/ci4ms (Composer) Apr 29, 2026
dapickle Credited to dapickle
Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type High
CVE-2026-38991 was published for cockpit-hq/cockpit (Composer) Apr 29, 2026
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution High
CVE-2026-40488 was published for openmage/magento-lts (Composer) Apr 21, 2026
amine-malloul-gira Credited to amine-malloul-gira and tsokalski tsokalski tsokalski
Flowise: File Upload Validation Bypass in createAttachment High
CVE-2026-41269 was published for flowise (npm) Apr 16, 2026
quirmz Credited to quirmz
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Note Mark has Stored XSS via Unrestricted Asset Upload High
CVE-2026-40262 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
ProTip! Advisories are also available from the GraphQL API