GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
594 advisories
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34564
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Critical
CVE-2026-34563
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34561
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34560
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34559
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34557
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34558
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
baserCMS Update Functionality Vulnerable to OS Command Injection
Critical
CVE-2026-30877
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)
Critical
CVE-2026-21861
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-27599
was published
for
ci4-cms-erp/ci4ms
(Composer)
Mar 30, 2026
AVideo has Plaintext Video Password Storage
Critical
CVE-2026-33867
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Critical
CVE-2026-33716
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL
Critical
CVE-2026-30849
was published
for
mantisbt/mantisbt
(Composer)
Mar 23, 2026
AVideo has Unauthenticated SSRF via plugin/Live/test.php
Critical
CVE-2026-33502
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
Critical
CVE-2026-33352
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Critical
CVE-2026-28697
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Critical
CVE-2026-29058
was published
for
wwbn/avideo
(Composer)
Mar 3, 2026
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
Critical
CVE-2026-27012
was published
for
devcode-it/openstamanager
(Composer)
Mar 3, 2026
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Critical
CVE-2026-26279
was published
for
froxlor/froxlor
(Composer)
Mar 3, 2026
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint
Critical
CVE-2026-28508
was published
for
idno/known
(Composer)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API