GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,691 advisories
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
High
GHSA-fc86-6rv6-2jpm
was published
for
webonyx/graphql-php
(Composer)
May 4, 2026
phpVMS has an /importer authorization bypass causing full database wipe
Critical
CVE-2026-42569
was published
for
nabeel/phpvms
(Composer)
May 4, 2026
AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field
High
GHSA-q4ph-8x8g-95f8
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Moderate
GHSA-qff7-q5fm-8p76
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption
Moderate
GHSA-4fm3-ggg2-c6qx
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass
High
CVE-2026-42606
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload
High
CVE-2026-42605
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
CI4MS has a Deactivated User Session Bypass (active=0)
Moderate
CVE-2026-41891
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 4, 2026
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Moderate
CVE-2026-41890
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 4, 2026
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Moderate
CVE-2026-42051
was published
for
getkirby/cms
(Composer)
May 4, 2026
Kirby CMS's read access to site, user and role information is not gated by permissions
High
CVE-2026-42069
was published
for
getkirby/cms
(Composer)
May 4, 2026
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
Moderate
CVE-2026-41671
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest
High
CVE-2026-41670
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests
High
CVE-2026-41669
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send
Low
CVE-2026-41663
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Missing Minimum Administrator Check in Role Membership Removal
Moderate
CVE-2026-41662
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
Moderate
CVE-2026-41661
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP
High
CVE-2026-41660
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment
Low
CVE-2026-41659
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items
Moderate
CVE-2026-41658
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php
Moderate
CVE-2026-41657
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
ProTip!
Advisories are also available from the
GraphQL API