Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,736 advisories

Loading
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) High
CVE-2026-52771 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters High
CVE-2026-52770 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
sondt99 Credited to sondt99
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` High
CVE-2026-52769 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer and eros938 eros938 eros938
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview High
GHSA-86vw-x4ww-x467 was published for craftcms/cms (Composer) Jul 9, 2026
q1uf3ng Credited to q1uf3ng
EGroupware has Authenticated RCE via Malicious eTemplate Upload High
CVE-2026-40187 was published for egroupware/egroupware (Composer) Jul 7, 2026
dapickle Credited to dapickle
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect High
CVE-2026-55794 was published for craftcms/cms (Composer) Jul 6, 2026
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget High
CVE-2026-55790 was published for craftcms/cms (Composer) Jul 6, 2026
Crypto-Cat Credited to Crypto-Cat
SimpleSAMLphp has Possible DoS via XPath Transform High
CVE-2026-49289 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
ahacker1-securesaml Credited to ahacker1-securesaml
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass High
CVE-2026-49283 was published for simplesamlphp/saml2 (Composer) Jul 2, 2026
kamil-sawicki Credited to kamil-sawicki
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves High
CVE-2026-50282 was published for craftcms/cms (Composer) Jul 2, 2026
davidbors-snyk Credited to davidbors-snyk and cataliniovita-snyk cataliniovita-snyk cataliniovita-snyk
Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements High
CVE-2026-50281 was published for craftcms/cms (Composer) Jul 2, 2026
adrgs Credited to adrgs
Mautic has Stored Cross-Site Scripting (XSS) in Projects Component High
CVE-2026-9809 was published for mautic/core (Composer) Jul 2, 2026
34selen Credited to 34selen, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing escopecz escopecz
patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has an Authorization Bypass in API v2 Endpoints High
CVE-2026-9808 was published for mautic/core (Composer) Jul 2, 2026
zerlyer Credited to zerlyer, pavelkohout396, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing pavelkohout396 pavelkohout396
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has SQL Injection in API Contact Filtering High
CVE-2026-4776 was published for mautic/core (Composer) Jul 2, 2026
Senku01 Credited to Senku01, Harish4948, patrykgruszka, and LeuchtfeuerDigitalMarketing Harish4948 Harish4948
patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
offset Credited to offset
Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap High
CVE-2026-50279 was published for craftcms/cms (Composer) Jul 2, 2026
larlarua Credited to larlarua
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function High
CVE-2026-52854 was published for mediawiki/maps (Composer) Jul 2, 2026
SomeMWDev Credited to SomeMWDev
fabpot Credited to fabpot
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API