Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

429 advisories

Loading
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API Low
CVE-2026-10215 was published for dolibarr/dolibarr (Composer) Jun 1, 2026
Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation Low
GHSA-j5mc-p8qg-39j7 was published for kimai/kimai (Composer) Jul 2, 2026
Mitchell45 Credited to Mitchell45
Kimai Password Reset Link Remains Valid After Password Change Low
GHSA-m492-gv72-xvxj was published for kimai/kimai (Composer) Jul 1, 2026
AzureADTrent Credited to AzureADTrent
Schema.org has cross-site scripting (XSS) via script break-out in toScript() output Low
GHSA-hwmc-r6mf-jh83 was published for spatie/schema-org (Composer) Jul 1, 2026
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` Low
CVE-2026-48805 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme Low
CVE-2026-8353 was published for concrete5/concrete5 (Composer) May 26, 2026
Concrete CMS is vulnerable to CSRF via Backend\File::approveVersion Low
CVE-2026-8340 was published for concrete5/concrete5 (Composer) May 26, 2026
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog Low
CVE-2026-8347 was published for concrete5/concrete5 (Composer) May 26, 2026
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion() Low
CVE-2026-8435 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() Low
CVE-2026-8434 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() Low
CVE-2026-8433 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star() Low
CVE-2026-8432 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design Low
CVE-2026-8413 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate Low
CVE-2026-8414 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache Low
CVE-2026-8412 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete Low
CVE-2026-8411 was published for concrete5/concrete5 (Composer) May 22, 2026
ProTip! Advisories are also available from the GraphQL API