Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

624 advisories

Loading
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE Critical
CVE-2026-54159 was published for prestashop/ps_facetedsearch (Composer) Jul 10, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
Formie Hidden field defaults vulnerable to Server-Side Template Injection Critical
CVE-2026-52889 was published for verbb/formie (Composer) Jul 6, 2026
CodeIgniter arbitrary code execution Critical
CVE-2016-10131 was published for bcit-ci/codeigniter (Composer) May 17, 2022
cookesan Credited to cookesan
Mautic vulnerable to Path Traversal via Campaign Import Critical
CVE-2026-9559 was published for mautic/core (Composer) Jul 2, 2026
nglong05 Credited to nglong05, f3nrir77, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing f3nrir77 f3nrir77
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has Server-Side Template Injection (SSTI) in Theme Templates Critical
CVE-2026-9558 was published for mautic/core (Composer) Jul 2, 2026
onurcangnc Credited to onurcangnc, xfer0, Entropt, patrykgruszka, escopecz, LeuchtfeuerDigitalMarketing, and NumberOreo1 xfer0 xfer0
Entropt Entropt patrykgruszka patrykgruszka escopecz escopecz LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing NumberOreo1 NumberOreo1
Object injection in PHPMailer/PHPMailer Critical
CVE-2020-36326 was published for phpmailer/phpmailer (Composer) May 4, 2021
farisv Credited to farisv
Dolibarr ERP CRM contains a remote code evaluation vulnerability Critical
CVE-2018-25357 was published for dolibarr/dolibarr (Composer) May 26, 2026
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector) Critical
CVE-2026-46725 was published for mmc/ceselector (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler
Concrete CMS Vulnerable to Relative Path Traversal Critical
CVE-2026-8134 was published for concrete5/concrete5 (Composer) May 21, 2026
Paymenter vulnerable to Remote Code Execution via public file uploads Critical
CVE-2025-58048 was published for paymenter/paymenter (Composer) Jun 22, 2026
enigmaticious Credited to enigmaticious and CorwinDev CorwinDev CorwinDev
arkmarta Credited to arkmarta
AVideo contains Command injection when embedding a video link Critical
CVE-2023-25313 was published for wwbn/avideo (Composer) Feb 2, 2023
gonzxph Credited to gonzxph and cookesan cookesan cookesan
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs Critical
CVE-2026-55791 was published for craftcms/cms (Composer) Jun 19, 2026
seoyoung-kang Credited to seoyoung-kang
Cotonti: Cross-Site Request Forgery in the administration rights handler Critical
CVE-2026-55742 was published for cotonti/cotonti (Composer) Jun 18, 2026
Drupal Core has a SQL Injection issue Critical
CVE-2026-9082 was published for drupal/core (Composer) May 20, 2026
Rudloff Credited to Rudloff and orbegam orbegam orbegam
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header Critical
CVE-2026-54003 was published for getkirby/cms (Composer) Jun 18, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter Critical
CVE-2026-48030 was published for pheditor/pheditor (Composer) Jun 9, 2026
muslimbek-0x Credited to muslimbek-0x
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
CVE-2026-45010 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-6626-79jh-5ccr was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API