GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
594 advisories
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
Critical
GHSA-289f-fq7w-6q2w
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id
Critical
GHSA-9pq7-mfwh-xx2j
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
Critical
CVE-2026-44262
was published
for
dedoc/scramble
(Composer)
May 6, 2026
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass
Critical
GHSA-vj3m-2g9h-vm4p
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
Critical
CVE-2026-42613
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
Critical
CVE-2026-42607
was published
for
getgrav/grav
(Composer)
May 5, 2026
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Critical
CVE-2026-42155
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41203
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41202
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Critical
CVE-2026-23500
was published
for
dolibarr/dolibarr
(Composer)
Apr 17, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Critical
CVE-2026-41228
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Critical
CVE-2026-41229
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Critical
CVE-2026-40911
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
Critical
CVE-2026-35035
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 6, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Critical
CVE-2026-34571
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34569
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34568
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34567
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34566
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34565
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API