Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,607 advisories

Loading
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate Moderate
CVE-2026-40486 was published for kimai/kimai (Composer) Apr 15, 2026
udaypali Credited to udaypali
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket Moderate
GHSA-xp4f-g2cm-rhg7 was published for pocketmine/pocketmine-mp (Composer) Apr 15, 2026
DrakzoSurYT Credited to DrakzoSurYT and dktapps dktapps dktapps
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
GHSA-95wr-3f2v-v2wh was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
GHSA-3m9m-24vh-39wx was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action Moderate
GHSA-jq2f-59pj-p3m3 was published for craftcms/cms (Composer) Apr 14, 2026
kaminuma Credited to kaminuma
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection High
GHSA-pq8p-wc4f-vg7j was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
GHSA-m7r8-6q9j-m2hc was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters Moderate
GHSA-m63r-m9jh-3vc6 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver Moderate
GHSA-8pv3-29pp-pf8f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL High
GHSA-j432-4w3j-3w8j was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal Moderate
GHSA-5879-4fmr-xwf2 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
GHSA-ff5q-cc22-fgp4 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover High
GHSA-ccq9-r5cw-5hwq was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF Moderate
GHSA-793q-xgj6-7frp was published for wwbn/avideo (Composer) Apr 14, 2026
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure Moderate
GHSA-hg7g-56h5-5pqr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators Moderate
GHSA-8qm8-g55h-xmqr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion Moderate
GHSA-x2pw-9c38-cp2j was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) High
GHSA-ffw8-fwxp-h64w was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials High
GHSA-vvfw-4m39-fjqf was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks Critical
GHSA-gph2-j4c9-vhhr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) High
GHSA-6rc6-p838-686f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version Moderate
GHSA-52hf-63q4-r926 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
GHSA-gpgp-w4x2-h3h7 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header High
CVE-2026-39971 was published for s9y/serendipity (Composer) Apr 14, 2026
mabjr33 Credited to mabjr33
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database