Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

62 advisories

Loading
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update Moderate
CVE-2026-55482 was published for snipe/snipe-it (Composer) Jun 23, 2026
TristanInSec Credited to TristanInSec
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields Moderate
CVE-2026-48067 was published for filament/actions (Composer) Jun 11, 2026
baradika Credited to baradika and danharrin danharrin danharrin
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders Moderate
CVE-2026-47230 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block Moderate
CVE-2026-7881 was published for concrete5/concrete5 (Composer) May 22, 2026
Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog Moderate
CVE-2026-8204 was published for concrete5/concrete5 (Composer) May 21, 2026
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups Moderate
CVE-2026-46721 was published for evoweb/sf-register (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler
MantisBT Has Authorization Bypass in Global Profile Creation Moderate
CVE-2026-33052 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements Moderate
CVE-2026-43883 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
CVE-2026-40907 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions Moderate
CVE-2026-33764 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents Moderate
CVE-2026-33759 was published for wwbn/avideo (Composer) Mar 26, 2026
offset Credited to offset
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) Moderate
CVE-2026-33158 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel Moderate
CVE-2025-66306 was published for getgrav/grav (Composer) Dec 2, 2025
ElvinNuruyev Credited to ElvinNuruyev
Powermail extension for TYPO3 allows Insecure Direct Object Reference Moderate
CVE-2025-7899 was published for in2code/powermail (Composer) Jul 22, 2025
Femanager extension for TYPO3 allows Insecure Direct Object Reference Moderate
CVE-2025-7900 was published for in2code/femanager (Composer) Jul 22, 2025
reint_downloadmanager TYPO3 Extension is susceptible to Insecure Direct Object Reference Moderate
CVE-2025-48207 was published for renolit/reint-downloadmanager (Composer) May 21, 2025
The femanager TYPO3 extension allows Insecure Direct Object Reference Moderate
CVE-2025-48202 was published for in2code/femanager (Composer) May 21, 2025
Grokability Snipe-IT has incorrect authorization for accessing asset information Moderate
CVE-2025-47226 was published for snipe/snipe-it (Composer) May 2, 2025
ProTip! Advisories are also available from the GraphQL API