GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
299 advisories
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47415
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR
High
CVE-2026-47417
was published
for
praisonai-platform
(pip)
Jun 1, 2026
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR
High
CVE-2026-47418
was published
for
praisonai-platform
(pip)
Jun 1, 2026
phpMyFAQ: IDOR Account Takeover
High
CVE-2026-35671
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 20, 2026
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
High
CVE-2026-47414
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
High
CVE-2026-47399
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Critical
CVE-2026-47407
was published
for
praisonai-platform
(pip)
May 29, 2026
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
High
CVE-2026-48169
was published
for
praisonai-platform
(pip)
May 29, 2026
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders
High
CVE-2026-47231
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Moderate
CVE-2026-47230
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
Moderate
CVE-2026-47227
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path
Critical
GHSA-g53w-w6mj-hrpp
was published
for
github.com/Kuadrant/mcp-gateway
(Go)
May 19, 2026
MantisBT Has Authorization Bypass in Global Profile Creation
Moderate
CVE-2026-33052
was published
for
mantisbt/mantisbt
(Composer)
May 11, 2026
Open WebUI has an Indirect Object Reference (IDOR) in user notes
Moderate
CVE-2026-45666
was published
for
open-webui
(pip)
May 14, 2026
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Moderate
CVE-2026-45002
was published
for
openclaw
(npm)
Apr 25, 2026
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
High
CVE-2026-45402
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
High
CVE-2026-45398
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
High
CVE-2026-45671
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
Moderate
CVE-2026-45386
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
Moderate
CVE-2026-45385
was published
for
open-webui
(pip)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API