Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,188 advisories

Loading
Sylius: IDOR on Shop Payment Request API endpoints Moderate
CVE-2026-53639 was published for sylius/sylius (Composer) Jul 9, 2026
baradika Credited to baradika
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint Moderate
CVE-2026-53638 was published for sylius/sylius (Composer) Jul 9, 2026
FredrikEV Credited to FredrikEV
Sylius: Cart FormComponent allows modification or deletion of an already-completed order Moderate
CVE-2026-53637 was published for sylius/sylius (Composer) Jul 9, 2026
kgonella Credited to kgonella
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes Moderate
CVE-2026-52774 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` Moderate
CVE-2026-52773 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) Moderate
CVE-2026-52772 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
offset Credited to offset
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) High
CVE-2026-52771 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters High
CVE-2026-52770 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
sondt99 Credited to sondt99
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` High
CVE-2026-52769 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read Moderate
CVE-2026-52763 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
hash3liZer Credited to hash3liZer and eros938 eros938 eros938
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests Moderate
CVE-2026-53760 was published for admidio/admidio (Composer) Jul 9, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview High
GHSA-86vw-x4ww-x467 was published for craftcms/cms (Composer) Jul 9, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Sharp Missing Authorization Check in Quick Creation Command Endpoints Moderate
CVE-2026-53634 was published for code16/sharp (Composer) Jul 8, 2026
baradika Credited to baradika
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose Moderate
CVE-2026-45016 was published for egroupware/egroupware (Composer) Jul 7, 2026
smitocaru Credited to smitocaru
EGroupware has Authenticated RCE via Malicious eTemplate Upload High
CVE-2026-40187 was published for egroupware/egroupware (Composer) Jul 7, 2026
dapickle Credited to dapickle
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
ProTip! Advisories are also available from the GraphQL API