Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

623 advisories

Loading
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
Formie Hidden field defaults vulnerable to Server-Side Template Injection Critical
CVE-2026-52889 was published for verbb/formie (Composer) Jul 6, 2026
Mautic vulnerable to Path Traversal via Campaign Import Critical
CVE-2026-9559 was published for mautic/core (Composer) Jul 2, 2026
nglong05 Credited to nglong05, f3nrir77, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing f3nrir77 f3nrir77
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has Server-Side Template Injection (SSTI) in Theme Templates Critical
CVE-2026-9558 was published for mautic/core (Composer) Jul 2, 2026
onurcangnc Credited to onurcangnc, xfer0, Entropt, patrykgruszka, escopecz, LeuchtfeuerDigitalMarketing, and NumberOreo1 xfer0 xfer0
Entropt Entropt patrykgruszka patrykgruszka escopecz escopecz LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing NumberOreo1 NumberOreo1
Paymenter vulnerable to Remote Code Execution via public file uploads Critical
CVE-2025-58048 was published for paymenter/paymenter (Composer) Jun 22, 2026
enigmaticious Credited to enigmaticious and CorwinDev CorwinDev CorwinDev
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs Critical
CVE-2026-55791 was published for craftcms/cms (Composer) Jun 19, 2026
seoyoung-kang Credited to seoyoung-kang
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header Critical
CVE-2026-54003 was published for getkirby/cms (Composer) Jun 18, 2026
Cotonti: Cross-Site Request Forgery in the administration rights handler Critical
CVE-2026-55742 was published for cotonti/cotonti (Composer) Jun 18, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter Critical
CVE-2026-48030 was published for pheditor/pheditor (Composer) Jun 9, 2026
muslimbek-0x Credited to muslimbek-0x
PHPSpreadsheet has a patch bypass for CVE-2026-34084 Critical
CVE-2026-45034 was published for phpoffice/phpspreadsheet (Composer) Jun 8, 2026
everping Credited to everping
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
arkmarta Credited to arkmarta
Dolibarr ERP CRM contains a remote code evaluation vulnerability Critical
CVE-2018-25357 was published for dolibarr/dolibarr (Composer) May 26, 2026
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Concrete CMS Vulnerable to Relative Path Traversal Critical
CVE-2026-8134 was published for concrete5/concrete5 (Composer) May 21, 2026
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
Drupal Core has a SQL Injection issue Critical
CVE-2026-9082 was published for drupal/core (Composer) May 20, 2026
Rudloff Credited to Rudloff and orbegam orbegam orbegam
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector) Critical
CVE-2026-46725 was published for mmc/ceselector (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-6626-79jh-5ccr was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-ch9q-c9mp-j5gq was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API