Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

628 advisories

Loading
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE Critical
GHSA-hgjx-r89m-m7v4 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
aslein1413-sys Credited to aslein1413-sys
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn` Critical
CVE-2026-45262 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
offset Credited to offset
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover Critical
CVE-2026-52824 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
FacturaScripts: Account takeover of any 2FA-enabled user Critical
CVE-2026-47677 was published for facturascripts/facturascripts (Composer) Jul 13, 2026
janssensjelle Credited to janssensjelle
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE Critical
CVE-2026-54159 was published for prestashop/ps_facetedsearch (Composer) Jul 10, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
EGroupware has a Remote Code Execution Vulnerability Critical
CVE-2026-27823 was published for egroupware/egroupware (Composer) Jul 7, 2026
realalphaman Credited to realalphaman
Formie Hidden field defaults vulnerable to Server-Side Template Injection Critical
CVE-2026-52889 was published for verbb/formie (Composer) Jul 6, 2026
Mautic vulnerable to Path Traversal via Campaign Import Critical
CVE-2026-9559 was published for mautic/core (Composer) Jul 2, 2026
nglong05 Credited to nglong05, f3nrir77, escopecz, patrykgruszka, and LeuchtfeuerDigitalMarketing f3nrir77 f3nrir77
escopecz escopecz patrykgruszka patrykgruszka LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing
Mautic has Server-Side Template Injection (SSTI) in Theme Templates Critical
CVE-2026-9558 was published for mautic/core (Composer) Jul 2, 2026
onurcangnc Credited to onurcangnc, xfer0, Entropt, patrykgruszka, escopecz, LeuchtfeuerDigitalMarketing, and NumberOreo1 xfer0 xfer0
Entropt Entropt patrykgruszka patrykgruszka escopecz escopecz LeuchtfeuerDigitalMarketing LeuchtfeuerDigitalMarketing NumberOreo1 NumberOreo1
Paymenter vulnerable to Remote Code Execution via public file uploads Critical
CVE-2025-58048 was published for paymenter/paymenter (Composer) Jun 22, 2026
enigmaticious Credited to enigmaticious and CorwinDev CorwinDev CorwinDev
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs Critical
CVE-2026-55791 was published for craftcms/cms (Composer) Jun 19, 2026
seoyoung-kang Credited to seoyoung-kang
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header Critical
CVE-2026-54003 was published for getkirby/cms (Composer) Jun 18, 2026
Cotonti: Cross-Site Request Forgery in the administration rights handler Critical
CVE-2026-55742 was published for cotonti/cotonti (Composer) Jun 18, 2026
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter Critical
CVE-2026-48030 was published for pheditor/pheditor (Composer) Jun 9, 2026
muslimbek-0x Credited to muslimbek-0x
PHPSpreadsheet has a patch bypass for CVE-2026-34084 Critical
CVE-2026-45034 was published for phpoffice/phpspreadsheet (Composer) Jun 8, 2026
everping Credited to everping
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
arkmarta Credited to arkmarta
Dolibarr ERP CRM contains a remote code evaluation vulnerability Critical
CVE-2018-25357 was published for dolibarr/dolibarr (Composer) May 26, 2026
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Concrete CMS Vulnerable to Relative Path Traversal Critical
CVE-2026-8134 was published for concrete5/concrete5 (Composer) May 21, 2026
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
ProTip! Advisories are also available from the GraphQL API