Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,216 advisories

Loading
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE Critical
GHSA-hgjx-r89m-m7v4 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
aslein1413-sys Credited to aslein1413-sys
EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField High
CVE-2026-54087 was published for easycorp/easyadmin-bundle (Composer) Jul 14, 2026
Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter Moderate
CVE-2026-50157 was published for auth0/symfony (Composer) Jul 14, 2026
FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents High
CVE-2026-45693 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
5kr1pt Credited to 5kr1pt
FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn` Critical
CVE-2026-45262 was published for facturascripts/facturascripts (Composer) Jul 14, 2026
offset Credited to offset
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access Moderate
CVE-2026-52828 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover Critical
CVE-2026-52824 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes Moderate
CVE-2026-52823 was published for kimai/kimai (Composer) Jul 14, 2026
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Moderate
CVE-2026-52820 was published for kimai/kimai (Composer) Jul 13, 2026
offset Credited to offset
offset Credited to offset
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes Moderate
CVE-2026-49992 was published for kimai/kimai (Composer) Jul 13, 2026
Mitchell45 Credited to Mitchell45
FacturaScripts: Account takeover of any 2FA-enabled user Critical
CVE-2026-47677 was published for facturascripts/facturascripts (Composer) Jul 13, 2026
janssensjelle Credited to janssensjelle
NukeViet: Pre-authentication SSRF via X-Forwarded-Host High
CVE-2026-55372 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function High
CVE-2026-54065 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module High
CVE-2026-54064 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and g03m0n g03m0n g03m0n
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-49259 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
0xGunrunner Credited to 0xGunrunner
NukeViet: Unauthenticated Reflected XSS in Comment Module High
CVE-2026-48118 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and 0xGunrunner 0xGunrunner 0xGunrunner
ProTip! Advisories are also available from the GraphQL API