Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,746 advisories

Loading
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField High
CVE-2026-54087 was published for easycorp/easyadmin-bundle (Composer) Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents High
CVE-2026-45693 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
5kr1pt Credited to 5kr1pt
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
NukeViet: Pre-authentication SSRF via X-Forwarded-Host High
CVE-2026-55372 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function High
CVE-2026-54065 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module High
CVE-2026-54064 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and g03m0n g03m0n g03m0n
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-49259 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
0xGunrunner Credited to 0xGunrunner
NukeViet: Unauthenticated Reflected XSS in Comment Module High
CVE-2026-48118 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and 0xGunrunner 0xGunrunner 0xGunrunner
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) High
CVE-2026-52771 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters High
CVE-2026-52770 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
sondt99 Credited to sondt99
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` High
CVE-2026-52769 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer and eros938 eros938 eros938
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview High
GHSA-86vw-x4ww-x467 was published for craftcms/cms (Composer) Jul 9, 2026
q1uf3ng Credited to q1uf3ng
EGroupware has Authenticated RCE via Malicious eTemplate Upload High
CVE-2026-40187 was published for egroupware/egroupware (Composer) Jul 7, 2026
dapickle Credited to dapickle
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect High
CVE-2026-55794 was published for craftcms/cms (Composer) Jul 6, 2026
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget High
CVE-2026-55790 was published for craftcms/cms (Composer) Jul 6, 2026
Crypto-Cat Credited to Crypto-Cat
SimpleSAMLphp has Possible DoS via XPath Transform High
CVE-2026-49289 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
ahacker1-securesaml Credited to ahacker1-securesaml
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass High
CVE-2026-49283 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
kamil-sawicki Credited to kamil-sawicki
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves High
CVE-2026-50282 was published for craftcms/cms (Composer) Jul 2, 2026
davidbors-snyk Credited to davidbors-snyk and cataliniovita-snyk cataliniovita-snyk cataliniovita-snyk
ProTip! Advisories are also available from the GraphQL API