GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
3,377 advisories
Statamic Vulnerable to CSV formula injection in form submission exports
Moderate
CVE-2026-54243
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Moderate
CVE-2026-49288
was published
for
statamic/cms
(Composer)
Jun 26, 2026
CakePHP: View::element() is missing a path containment check
Moderate
CVE-2026-48820
was published
for
cakephp/cakephp
(Composer)
Jun 26, 2026
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system
Moderate
GHSA-j7f5-gfqm-pcx3
was published
for
pterodactyl/panel
(Composer)
Jun 26, 2026
Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
Moderate
CVE-2026-55483
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
Moderate
CVE-2026-55482
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT has a 2FA reset privilege bypass
Moderate
CVE-2026-50550
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to User Account Escalation via CSV Import
Moderate
CVE-2026-49976
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`
Moderate
CVE-2026-49870
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Moderate
CVE-2026-49205
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 23, 2026
Filament: Unauthenticated temporary file upload on auth pages
Moderate
CVE-2026-48500
was published
for
filament/filament
(Composer)
Jun 23, 2026
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Moderate
CVE-2026-48493
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Snipe-IT's selectlist visibility is too permissive
Moderate
CVE-2026-48492
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Moderate
CVE-2026-48167
was published
for
filament/infolists
(Composer)
Jun 23, 2026
Filament: Timing-based user enumeration on login page
Moderate
CVE-2026-48166
was published
for
filament/filament
(Composer)
Jun 23, 2026
Slim has Reflected XSS in the HtmlErrorRenderer
Moderate
CVE-2026-48157
was published
for
slim/slim
(Composer)
Jun 23, 2026
AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel
Moderate
GHSA-7cqp-7cfv-6c3q
was published
for
wwbn/avideo
(Composer)
Jun 23, 2026
Paymenter has broken object level authorization via service reference manipulation on ticket creation
Moderate
CVE-2026-44585
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
Paymenter doesn't reset email verification status after email change
Moderate
CVE-2026-44584
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module
Moderate
CVE-2026-44583
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
Moderate
CVE-2026-33731
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
Moderate
CVE-2026-33684
was published
for
wwbn/avideo
(Composer)
Jun 22, 2026
ProTip!
Advisories are also available from the
GraphQL API