GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
91 advisories
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders
High
CVE-2026-47231
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Moderate
CVE-2026-47230
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
Moderate
CVE-2026-47227
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
phpMyFAQ: IDOR Account Takeover
High
CVE-2026-35671
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 20, 2026
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin
High
GHSA-qxvm-r42f-5p8j
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint
High
CVE-2026-44692
was published
for
code16/sharp
(Composer)
May 15, 2026
MantisBT Has Authorization Bypass in Global Profile Creation
Moderate
CVE-2026-33052
was published
for
mantisbt/mantisbt
(Composer)
May 11, 2026
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Moderate
CVE-2026-43883
was published
for
wwbn/avideo
(Composer)
May 5, 2026
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
High
CVE-2026-42609
was published
for
getgrav/grav
(Composer)
May 5, 2026
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
High
CVE-2026-40308
was published
for
joedolson/my-calendar
(Composer)
Apr 16, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Moderate
CVE-2026-40907
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Moderate
CVE-2026-33764
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
Low
CVE-2026-33160
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Moderate
CVE-2026-33158
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
High
CVE-2026-32300
was published
for
opensource-workshop/connect-cms
(Composer)
Mar 23, 2026
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
Moderate
CVE-2026-33297
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
High
CVE-2026-4208
was published
for
ralffreit/mfa-email
(Composer)
Mar 17, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
Sylius affected by IDOR in Cart and Checkout LiveComponents
High
CVE-2026-31820
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
ProTip!
Advisories are also available from the
GraphQL API