GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
130 advisories
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024
Moderate
CVE-2026-47233
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
phpMyFAQ: IDOR Account Takeover
High
CVE-2026-35671
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 20, 2026
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
Moderate
CVE-2026-45334
was published
for
getkirby/cms
(Composer)
May 27, 2026
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
High
CVE-2026-45260
was published
for
pimcore/pimcore
(Composer)
May 27, 2026
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
Moderate
CVE-2026-44176
was published
for
getkirby/cms
(Composer)
May 26, 2026
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
Moderate
CVE-2026-46337
was published
for
WWBN/AVideo
(Composer)
May 19, 2026
shopper/framework: Authorization bypass in multiple Livewire admin components
High
GHSA-f946-9qp6-vgch
was published
for
shopper/framework
(Composer)
May 18, 2026
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
High
CVE-2026-44012
was published
for
craftcms/cms
(Composer)
May 6, 2026
Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
High
CVE-2026-44010
was published
for
craftcms/cms
(Composer)
May 6, 2026
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
High
CVE-2026-43885
was published
for
wwbn/avideo
(Composer)
May 5, 2026
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Moderate
CVE-2026-42051
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kirby CMS's read access to site, user and role information is not gated by permissions
High
CVE-2026-42069
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kimai has Missing Object-Level Authorization in the Team API
Low
CVE-2026-41498
was published
for
kimai/kimai
(Composer)
Apr 24, 2026
MantisBT has a Private Bugnote Attachment Content Leak via REST API
High
CVE-2026-42071
was published
for
mantisbt/mantisbt
(Composer)
May 11, 2026
Kimai's API invoice endpoint missing customer-level access control (IDOR)
Moderate
CVE-2026-28685
was published
for
kimai/kimai
(Composer)
Mar 4, 2026
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items
Moderate
CVE-2026-41658
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User
Moderate
GHSA-rm98-82fr-mcfx
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags
Moderate
GHSA-7cx3-2qx2-3g6w
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Moderate
GHSA-qff7-q5fm-8p76
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption
Moderate
GHSA-4fm3-ggg2-c6qx
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API