Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

58 advisories

Loading
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php Moderate
CVE-2026-39366 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter Moderate
CVE-2026-34383 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
Admidio has Missing CSRF Protection on Registration Approval Actions Moderate
CVE-2026-34384 was published for admidio/admidio (Composer) Mar 31, 2026
offset Credited to offset
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification Moderate
CVE-2026-34369 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() Moderate
CVE-2026-34362 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications Moderate
CVE-2026-34247 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking Moderate
CVE-2026-34245 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records High
GHSA-wprj-9cvc-5w37 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle Moderate
CVE-2026-33763 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings Moderate
CVE-2026-33761 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter High
CVE-2026-33723 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment High
CVE-2026-33719 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL High
CVE-2026-33717 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php Critical
CVE-2026-33716 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php Moderate
GHSA-wxjx-r2j2-96fx was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint Moderate
CVE-2026-33688 was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database