GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,654 advisories
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
High
CVE-2026-24765
was published
for
phpunit/phpunit
(Composer)
Jan 27, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
High
CVE-2026-41570
was published
for
phpunit/phpunit
(Composer)
Apr 18, 2026
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
High
CVE-2026-4208
was published
for
ralffreit/mfa-email
(Composer)
Mar 17, 2026
The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class
Moderate
CVE-2026-1323
was published
for
cpsit/typo3-mailqueue
(Composer)
Mar 18, 2026
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Moderate
CVE-2026-40099
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
High
CVE-2026-34587
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has XML injection in its XML creator toolkit
Moderate
CVE-2026-32870
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
Moderate
CVE-2026-40098
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
October Rain has Stored XSS via SVG Filter Bypass
Moderate
CVE-2026-25133
was published
for
october/rain
(Composer)
Apr 14, 2026
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High
CVE-2026-34572
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Critical
CVE-2026-34563
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-27599
was published
for
ci4-cms-erp/ci4ms
(Composer)
Mar 30, 2026
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34561
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
High
CVE-2026-41143
was published
for
yeswiki/yeswiki
(Composer)
Apr 18, 2026
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Moderate
CVE-2026-40486
was published
for
kimai/kimai
(Composer)
Apr 15, 2026
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
High
CVE-2026-39971
was published
for
s9y/serendipity
(Composer)
Apr 14, 2026
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
High
CVE-2026-39369
was published
for
WWBN/AVideo
(Composer)
Apr 8, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate
CVE-2026-26274
was published
for
october/october
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Moderate
CVE-2026-26067
was published
for
october/system
(Composer)
Apr 21, 2026
ProTip!
Advisories are also available from the
GraphQL API