GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
115 advisories
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Moderate
GHSA-qff7-q5fm-8p76
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption
Moderate
GHSA-4fm3-ggg2-c6qx
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Moderate
CVE-2026-42051
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kirby CMS's read access to site, user and role information is not gated by permissions
High
CVE-2026-42069
was published
for
getkirby/cms
(Composer)
May 4, 2026
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items
Moderate
CVE-2026-41658
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Kimai has Missing Object-Level Authorization in the Team API
Low
CVE-2026-41498
was published
for
kimai/kimai
(Composer)
Apr 24, 2026
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
Moderate
CVE-2026-40098
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
Moderate
CVE-2026-41128
was published
for
craftcms/cms
(Composer)
Apr 14, 2026
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
Low
CVE-2026-32270
was published
for
craftcms/commerce
(Composer)
Apr 14, 2026
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Low
CVE-2026-35448
was published
for
wwbn/avideo
(Composer)
Apr 4, 2026
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Moderate
CVE-2026-35179
was published
for
wwbn/avideo
(Composer)
Apr 3, 2026
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
Moderate
CVE-2026-34737
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
Moderate
CVE-2026-34395
was published
for
wwbn/avideo
(Composer)
Mar 31, 2026
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Moderate
CVE-2026-34369
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Moderate
CVE-2026-34247
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Moderate
CVE-2026-34245
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
High
GHSA-wprj-9cvc-5w37
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
Statamic allows unauthorized content access through missing authorization in its revision controllers
Moderate
CVE-2026-33887
was published
for
statamic/cms
(Composer)
Mar 26, 2026
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Moderate
CVE-2026-33761
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
Moderate
CVE-2026-33685
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API