Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

3,401 advisories

Loading
Sylius: IDOR on Shop Payment Request API endpoints Moderate
CVE-2026-53639 was published for sylius/sylius (Composer) Jul 9, 2026
baradika Credited to baradika
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint Moderate
CVE-2026-53638 was published for sylius/sylius (Composer) Jul 9, 2026
FredrikEV Credited to FredrikEV
Sylius: Cart FormComponent allows modification or deletion of an already-completed order Moderate
CVE-2026-53637 was published for sylius/sylius (Composer) Jul 9, 2026
kgonella Credited to kgonella
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes Moderate
CVE-2026-52774 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` Moderate
CVE-2026-52773 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) Moderate
CVE-2026-52772 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
offset Credited to offset
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read Moderate
CVE-2026-52763 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests Moderate
CVE-2026-53760 was published for admidio/admidio (Composer) Jul 9, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Sharp Missing Authorization Check in Quick Creation Command Endpoints Moderate
CVE-2026-53634 was published for code16/sharp (Composer) Jul 8, 2026
baradika Credited to baradika
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose Moderate
CVE-2026-45016 was published for egroupware/egroupware (Composer) Jul 7, 2026
smitocaru Credited to smitocaru
Craft CMS: Stored XSS via Structure entry title in table view Moderate
CVE-2026-55793 was published for craftcms/cms (Composer) Jul 6, 2026
Crypto-Cat Credited to Crypto-Cat
Craft CMS: Sensitive File Disclosure / Server-Side File Read Moderate
CVE-2026-55792 was published for craftcms/cms (Composer) Jul 6, 2026
smakarim Credited to smakarim
Susen2 Credited to Susen2
Mautic has Stored Cross-Site Scripting (XSS) in Project Option Selector Moderate
CVE-2026-9811 was published for mautic/core (Composer) Jul 2, 2026
pavelkohout396 Credited to pavelkohout396, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing escopecz escopecz
patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic Focus component Vulnerable to SSRF Moderate
CVE-2026-9557 was published for mautic/core (Composer) Jul 2, 2026
r1beirin Credited to r1beirin, patrykgruszka, dungNHVhust, and escopecz patrykgruszka patrykgruszka
dungNHVhust dungNHVhust escopecz escopecz
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API Moderate
GHSA-q4rm-m6xh-5pv7 was published for froxlor/froxlor (Composer) Jul 2, 2026
offset Credited to offset
Froxlor: Authenticated customers can read other customers' allowed sender aliases Moderate
GHSA-mr9h-45p9-fg8h was published for froxlor/froxlor (Composer) Jul 2, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Craft CMS: Unauthorized Deletion of Source Assets During File Replacement Moderate
CVE-2026-50283 was published for craftcms/cms (Composer) Jul 2, 2026
davidbors-snyk Credited to davidbors-snyk and cataliniovita-snyk cataliniovita-snyk cataliniovita-snyk
Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check Moderate
CVE-2026-50280 was published for craftcms/cms (Composer) Jul 2, 2026
larlarua Credited to larlarua
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components Moderate
GHSA-2wwr-9x6f-88gp was published for easycorp/easyadmin-bundle (Composer) Jul 1, 2026
Paymenter has race condition in payWithCredit() that enables credit double-spend Moderate
CVE-2026-55219 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` Moderate
CVE-2026-48808 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters Moderate
CVE-2026-48807 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys Moderate
CVE-2026-48806 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Statamic Vulnerable to CSV formula injection in form submission exports Moderate
CVE-2026-54243 was published for statamic/cms (Composer) Jun 26, 2026
kah-ja Credited to kah-ja
ProTip! Advisories are also available from the GraphQL API