Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

29 advisories

Loading
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Shopper: Multiple data integrity and disclosure issues in admin Livewire components High
CVE-2026-47743 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
formie's unauthenticated front-end submission editing can overwrite existing submissions High
CVE-2026-47266 was published for verbb/formie (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
phpMyFAQ: IDOR Account Takeover High
CVE-2026-35671 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar High
CVE-2026-40308 was published for joedolson/my-calendar (Composer) Apr 16, 2026
minhi1 Credited to minhi1
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php High
CVE-2026-38532 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php High
CVE-2026-38530 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) High
CVE-2026-4208 was published for ralffreit/mfa-email (Composer) Mar 17, 2026
MrSilaz Credited to MrSilaz
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Craft CMS has IDOR via GraphQL @parseRefs High
CVE-2026-28696 was published for craftcms/cms (Composer) Mar 3, 2026
z3rco Credited to z3rco
Craft CMS: GraphQL Asset Mutation Privilege Escalation High
CVE-2026-25497 was published for craftcms/cms (Composer) Feb 9, 2026
vitalysim Credited to vitalysim
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak Credited to DenizParlak
The Front End User Registration extension for TYPO3 (sr_feuser_register) allows Insecure Direct Object Reference High
CVE-2025-48205 was published for sjbr/sr-feuser-register (Composer) May 21, 2025
Sylius has a security vulnerability via adjustments API endpoint High
CVE-2024-40633 was published for sylius/sylius (Composer) Jul 17, 2024
Magento Improper input validation vulnerability High
CVE-2022-42344 was published for magento/community-edition (Composer) Oct 20, 2022
Magento is affected by an improper input validation vulnerability High
CVE-2021-36032 was published for magento/community-edition (Composer) May 24, 2022
acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation High
CVE-2020-13700 was published for airesvsg/acf-to-rest-api (Composer) May 24, 2022
MarkLee131 Credited to MarkLee131
Magento 2 Community Edition Access Control Bypass High
CVE-2019-7950 was published for magento/community-edition (Composer) May 24, 2022
ProTip! Advisories are also available from the GraphQL API