GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,195 advisories
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates
Moderate
GHSA-vrqv-52x7-rm4v
was published
for
kimai/kimai
(Composer)
May 6, 2026
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation
Moderate
GHSA-9g2q-w3w2-vf7q
was published
for
kimai/kimai
(Composer)
May 6, 2026
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
Moderate
CVE-2026-43883
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
Moderate
CVE-2026-43881
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
Moderate
CVE-2026-43880
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Moderate
CVE-2026-43879
was published
for
wwbn/avideo
(Composer)
May 5, 2026
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
Moderate
CVE-2026-42610
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
Moderate
CVE-2026-42842
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav CMS vulnerable to stored XSS via Markdown media attribute() action
Moderate
CVE-2026-42841
was published
for
getgrav/grav
(Composer)
May 5, 2026
Kimai vulnerable to formula Injection via tag names in XLSX export
Moderate
CVE-2026-42267
was published
for
kimai/kimai
(Composer)
May 5, 2026
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`
Moderate
CVE-2026-42207
was published
for
openmage/magento-lts
(Composer)
May 5, 2026
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Moderate
CVE-2026-42194
was published
for
admidio/admidio
(Composer)
May 5, 2026
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
Moderate
CVE-2026-43878
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
Moderate
CVE-2026-43877
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
Moderate
CVE-2026-43876
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
Moderate
CVE-2026-43875
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration
Moderate
GHSA-qff7-q5fm-8p76
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption
Moderate
GHSA-4fm3-ggg2-c6qx
was published
for
azuracast/azuracast
(Composer)
May 4, 2026
CI4MS has a Deactivated User Session Bypass (active=0)
Moderate
CVE-2026-41891
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 4, 2026
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Moderate
CVE-2026-41890
was published
for
ci4-cms-erp/ci4ms
(Composer)
May 4, 2026
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Moderate
CVE-2026-42051
was published
for
getkirby/cms
(Composer)
May 4, 2026
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
Moderate
CVE-2026-41671
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
ProTip!
Advisories are also available from the
GraphQL API