Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

57 advisories

Loading
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` Moderate
CVE-2026-47227 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges Moderate
CVE-2026-47226 was published for admidio/admidio (Composer) May 29, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
MantisBT Has Authorization Bypass in Global Profile Creation Moderate
CVE-2026-33052 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
CVE-2026-40907 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) Moderate
CVE-2026-33158 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel Moderate
CVE-2025-66306 was published for getgrav/grav (Composer) Dec 2, 2025
ElvinNuruyev Credited to ElvinNuruyev
Femanager extension for TYPO3 allows Insecure Direct Object Reference Moderate
CVE-2025-7900 was published for in2code/femanager (Composer) Jul 22, 2025
Powermail extension for TYPO3 allows Insecure Direct Object Reference Moderate
CVE-2025-7899 was published for in2code/powermail (Composer) Jul 22, 2025
reint_downloadmanager TYPO3 Extension is susceptible to Insecure Direct Object Reference Moderate
CVE-2025-48207 was published for renolit/reint-downloadmanager (Composer) May 21, 2025
The femanager TYPO3 extension allows Insecure Direct Object Reference Moderate
CVE-2025-48202 was published for in2code/femanager (Composer) May 21, 2025
Grokability Snipe-IT has incorrect authorization for accessing asset information Moderate
CVE-2025-47226 was published for snipe/snipe-it (Composer) May 2, 2025
Moodle allows IDOR in RSS block, which allows access to additional RSS feeds Moderate
CVE-2025-3636 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users Moderate
CVE-2025-3640 was published for moodle/moodle (Composer) Apr 25, 2025
TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc) Moderate
CVE-2025-24856 was published for causal/oidc (Composer) Jan 28, 2025
Moodle IDOR when deleting OAuth2 linked accounts Moderate
CVE-2024-45690 was published for moodle/moodle (Composer) Nov 20, 2024
Moodle IDOR when accessing list of course badges Moderate
CVE-2024-48899 was published for moodle/moodle (Composer) Nov 20, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database