Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

429 advisories

Loading
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation Low
GHSA-j5mc-p8qg-39j7 was published for kimai/kimai (Composer) Jul 2, 2026
Mitchell45 Credited to Mitchell45
Kimai Password Reset Link Remains Valid After Password Change Low
GHSA-m492-gv72-xvxj was published for kimai/kimai (Composer) Jul 1, 2026
AzureADTrent Credited to AzureADTrent
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output Low
GHSA-hwmc-r6mf-jh83 was published for spatie/schema-org (Composer) Jul 1, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` Low
CVE-2026-48805 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL Low
CVE-2026-55542 was published for snipe/snipe-it (Composer) Jun 23, 2026
Snipe-IT has Improper Authorization in File Deletion (IDOR) Low
CVE-2026-55519 was published for snipe/snipe-it (Composer) Jun 23, 2026
windbreaker555 Credited to windbreaker555
phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing Low
CVE-2026-48488 was published for phpmyfaq/phpmyfaq (Composer) Jun 23, 2026
N0tFix3d Credited to N0tFix3d
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted Low
CVE-2026-49215 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Kocal Credited to Kocal
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding Low
CVE-2026-49212 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Kocal Credited to Kocal
symfony/ux-live-component: Denial of service via unbounded batch action requests Low
CVE-2026-49209 was published for symfony/ux-live-component (Composer) Jun 19, 2026
Amoifr Credited to Amoifr and Kocal Kocal Kocal
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
TYPO3 HTML Sanitizer allows Cross-site Scripting Low
CVE-2026-47344 was published for typo3/html-sanitizer (Composer) Jun 12, 2026
ohader Credited to ohader
Twig: XSS in profiler HtmlDumper via unescaped template and profile names Low
CVE-2026-47730 was published for twig/twig (Composer) Jun 5, 2026
nicolas-grekas Credited to nicolas-grekas
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames Low
CVE-2026-48011 was published for shopware/core (Composer) Jun 4, 2026
NielDuysters Credited to NielDuysters and tbrankaer tbrankaer tbrankaer
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API Low
CVE-2026-10215 was published for dolibarr/dolibarr (Composer) Jun 1, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS Low
CVE-2026-45756 was published for symfony/json-path (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
nicolas-grekas Credited to nicolas-grekas
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex Low
CVE-2026-45305 was published for symfony/symfony (Composer) May 27, 2026
ProTip! Advisories are also available from the GraphQL API