Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

30 advisories

Loading
Economizzer Insecure Direct Object Reference vulnerability Low
CVE-2023-38872 was published for gugoan/economizzer (Composer) Sep 28, 2023
@strapi/plugin-content-manager leaks data via relations via the Admin Panel Low
CVE-2024-29181 was published for @strapi/plugin-content-manager (npm) Jun 12, 2024
felixdkatt Credited to felixdkatt, derrickmehaffy, Bassel17, and christiancp100 derrickmehaffy derrickmehaffy
Bassel17 Bassel17 christiancp100 christiancp100
OpenSearch Observability does not properly restrict access to private tenant resources Low
CVE-2024-39901 was published for org.opensearch.plugin:opensearch-observability (Maven) Jul 10, 2024
Grafana org admin can delete pending invites in different org Low
CVE-2024-10452 was published for github.com/grafana/grafana (Go) Oct 29, 2024
Oqtane Framework Insecure Direct Object Reference vulnerability Low
CVE-2024-55186 was published for Oqtane.Client (NuGet) Dec 20, 2024
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key Low
CVE-2025-9263 was published for com.xuxueli:xxl-job-admin (Maven) Aug 21, 2025
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter Low
CVE-2025-9264 was published for com.xuxueli:xxl-job-admin (Maven) Aug 21, 2025
Mattermost boards plugin fails to restrict download access to files Low
CVE-2025-9081 was published for github.com/mattermost/mattermost-plugin-boards (Go) Sep 19, 2025
EverShop is vulnerable to Unauthorized Order Information Access (IDOR) Low
CVE-2025-12919 was published for @evershop/evershop (npm) Nov 9, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID Low
CVE-2025-14881 was published for pretix (pip) Dec 19, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID Low
CVE-2025-14882 was published for pretix (pip) Dec 19, 2025
Chainlit contains an authorization bypass vulnerability Low
CVE-2025-68492 was published for chainlit (pip) Jan 14, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data Low
CVE-2026-27838 was published for wger (pip) Feb 26, 2026
ByamB4 Credited to ByamB4
Keycloak vulnerable to authorization bypass via the Admin API Low
CVE-2026-2366 was published for @keycloak/keycloak-admin-client (Maven) Mar 12, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL Low
CVE-2026-33160 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
GCXWLP Credited to GCXWLP
zpbrent Credited to zpbrent
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories Low
CVE-2026-29071 was published for open-webui (pip) Mar 27, 2026
MariuszMaik Credited to MariuszMaik
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID Low
GHSA-9pm8-vwc5-w2hm was published for fat_free_crm (RubyGems) Apr 14, 2026
bgeesaman Credited to bgeesaman
Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage Low
CVE-2026-7886 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog Low
CVE-2026-8347 was published for concrete5/concrete5 (Composer) May 26, 2026
ProTip! Advisories are also available from the GraphQL API