Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,188 advisories

Loading
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function High
CVE-2026-52854 was published for mediawiki/maps (Composer) Jul 2, 2026
SomeMWDev Credited to SomeMWDev
Kimai Password Reset Link Remains Valid After Password Change Low
GHSA-m492-gv72-xvxj was published for kimai/kimai (Composer) Jul 1, 2026
AzureADTrent Credited to AzureADTrent
fabpot Credited to fabpot
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output Low
GHSA-hwmc-r6mf-jh83 was published for spatie/schema-org (Composer) Jul 1, 2026
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components Moderate
GHSA-2wwr-9x6f-88gp was published for easycorp/easyadmin-bundle (Composer) Jul 1, 2026
Paymenter has race condition in payWithCredit() that enables credit double-spend Moderate
CVE-2026-55219 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` Moderate
CVE-2026-48808 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters Moderate
CVE-2026-48807 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys Moderate
CVE-2026-48806 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` Low
CVE-2026-48805 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Statamic Vulnerable to CSV formula injection in form submission exports Moderate
CVE-2026-54243 was published for statamic/cms (Composer) Jun 26, 2026
kah-ja Credited to kah-ja
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction High
CVE-2026-49287 was published for statamic/cms (Composer) Jun 26, 2026
Eszh Credited to Eszh
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option Moderate
CVE-2026-49359 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs Moderate
GHSA-q683-8468-r6h6 was published for web-auth/webauthn-symfony-bundle (Composer) Jun 26, 2026
CakePHP: View::element() is missing a path containment check Moderate
CVE-2026-48820 was published for cakephp/cakephp (Composer) Jun 26, 2026
z3moo Credited to z3moo, get-wright, markstory, and dereuromark get-wright get-wright
markstory markstory dereuromark dereuromark
ProTip! Advisories are also available from the GraphQL API