{"advisories":{"wwbn\/avideo":[{"advisoryId":"PKSA-6czf-bc7p-h4k6","packageName":"wwbn\/avideo","remoteId":"GHSA-4q27-4rrq-fx95","title":"AVideo: CSRF on Player Skin Configuration via admin\/playerUpdate.json.php","link":"https:\/\/github.com\/advisories\/GHSA-4q27-4rrq-fx95","cve":"CVE-2026-35181","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4q27-4rrq-fx95"}]},{"advisoryId":"PKSA-9kdr-v9xz-q97d","packageName":"wwbn\/avideo","remoteId":"GHSA-x9w5-xccw-5h9w","title":"AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php","link":"https:\/\/github.com\/advisories\/GHSA-x9w5-xccw-5h9w","cve":"CVE-2026-35179","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:33:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x9w5-xccw-5h9w"}]},{"advisoryId":"PKSA-h129-dyyg-hqpq","packageName":"wwbn\/avideo","remoteId":"GHSA-gmpc-fxg2-vcmq","title":"AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin","link":"https:\/\/github.com\/advisories\/GHSA-gmpc-fxg2-vcmq","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 23:25:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gmpc-fxg2-vcmq"}]},{"advisoryId":"PKSA-nbcf-22q2-3259","packageName":"wwbn\/avideo","remoteId":"GHSA-4jcg-jxpf-5vq3","title":"AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php","link":"https:\/\/github.com\/advisories\/GHSA-4jcg-jxpf-5vq3","cve":"CVE-2026-34731","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:04:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jcg-jxpf-5vq3"}]},{"advisoryId":"PKSA-mshg-1d1p-db19","packageName":"wwbn\/avideo","remoteId":"GHSA-g2mg-cgr6-vmv7","title":"AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-g2mg-cgr6-vmv7","cve":"CVE-2026-34732","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:05:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g2mg-cgr6-vmv7"}]},{"advisoryId":"PKSA-tjqt-v3v3-pg6b","packageName":"wwbn\/avideo","remoteId":"GHSA-wwpw-hrx8-79r5","title":"AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard","link":"https:\/\/github.com\/advisories\/GHSA-wwpw-hrx8-79r5","cve":"CVE-2026-34733","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wwpw-hrx8-79r5"}]},{"advisoryId":"PKSA-jw1r-58j1-stm1","packageName":"wwbn\/avideo","remoteId":"GHSA-38rh-4v39-vfxv","title":"AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug","link":"https:\/\/github.com\/advisories\/GHSA-38rh-4v39-vfxv","cve":"CVE-2026-34737","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38rh-4v39-vfxv"}]},{"advisoryId":"PKSA-4yg6-hdf3-cm7q","packageName":"wwbn\/avideo","remoteId":"GHSA-m577-w9j8-ch7j","title":"AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter","link":"https:\/\/github.com\/advisories\/GHSA-m577-w9j8-ch7j","cve":"CVE-2026-34738","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:07:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m577-w9j8-ch7j"}]},{"advisoryId":"PKSA-trzy-nkyc-3bq1","packageName":"wwbn\/avideo","remoteId":"GHSA-jqrj-chh6-8h78","title":"AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php","link":"https:\/\/github.com\/advisories\/GHSA-jqrj-chh6-8h78","cve":"CVE-2026-34739","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jqrj-chh6-8h78"}]},{"advisoryId":"PKSA-v4v4-994j-g46x","packageName":"wwbn\/avideo","remoteId":"GHSA-x5vx-vrpf-r45f","title":"AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation","link":"https:\/\/github.com\/advisories\/GHSA-x5vx-vrpf-r45f","cve":"CVE-2026-34740","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5vx-vrpf-r45f"}]},{"advisoryId":"PKSA-bppj-bwtk-gjyq","packageName":"wwbn\/avideo","remoteId":"GHSA-hqxf-mhfw-rc44","title":"AVideo: CSRF on Plugin Enable\/Disable Endpoint Allows Disabling Security Plugins","link":"https:\/\/github.com\/advisories\/GHSA-hqxf-mhfw-rc44","cve":"CVE-2026-34613","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqxf-mhfw-rc44"}]},{"advisoryId":"PKSA-nph7-q1m2-1jj5","packageName":"wwbn\/avideo","remoteId":"GHSA-w4hp-w536-jg64","title":"AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification","link":"https:\/\/github.com\/advisories\/GHSA-w4hp-w536-jg64","cve":"CVE-2026-34716","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w4hp-w536-jg64"}]},{"advisoryId":"PKSA-zmm3-dkmp-577r","packageName":"wwbn\/avideo","remoteId":"GHSA-c4xj-x7p8-3x7q","title":"AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users","link":"https:\/\/github.com\/advisories\/GHSA-c4xj-x7p8-3x7q","cve":"CVE-2026-34611","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:48:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c4xj-x7p8-3x7q"}]},{"advisoryId":"PKSA-9wd9-hqm1-g8vw","packageName":"wwbn\/avideo","remoteId":"GHSA-77jp-mgcw-rfmr","title":"AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php","link":"https:\/\/github.com\/advisories\/GHSA-77jp-mgcw-rfmr","cve":"CVE-2026-34395","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:21:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-77jp-mgcw-rfmr"}]},{"advisoryId":"PKSA-8d8v-tnwh-mvxd","packageName":"wwbn\/avideo","remoteId":"GHSA-v4h7-3x43-qqw4","title":"AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-v4h7-3x43-qqw4","cve":"CVE-2026-34396","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v4h7-3x43-qqw4"}]},{"advisoryId":"PKSA-sgq7-y46w-x6wm","packageName":"wwbn\/avideo","remoteId":"GHSA-4wwr-7h7c-chqr","title":"AVideo\u0027s CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-4wwr-7h7c-chqr","cve":"CVE-2026-34394","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:15:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4wwr-7h7c-chqr"}]},{"advisoryId":"PKSA-jgsk-3v13-mp5q","packageName":"wwbn\/avideo","remoteId":"GHSA-q6jj-r49p-94fh","title":"AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification","link":"https:\/\/github.com\/advisories\/GHSA-q6jj-r49p-94fh","cve":"CVE-2026-34369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:03:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q6jj-r49p-94fh"}]},{"advisoryId":"PKSA-vp5k-2k3q-kh8x","packageName":"wwbn\/avideo","remoteId":"GHSA-pm37-62g7-p768","title":"AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page","link":"https:\/\/github.com\/advisories\/GHSA-pm37-62g7-p768","cve":"CVE-2026-34375","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:08:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm37-62g7-p768"}]},{"advisoryId":"PKSA-r7hg-81sr-ph3s","packageName":"wwbn\/avideo","remoteId":"GHSA-h54m-c522-h6qr","title":"AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance","link":"https:\/\/github.com\/advisories\/GHSA-h54m-c522-h6qr","cve":"CVE-2026-34368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:51:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h54m-c522-h6qr"}]},{"advisoryId":"PKSA-zrqg-465j-tm13","packageName":"wwbn\/avideo","remoteId":"GHSA-73gr-r64q-7jh4","title":"AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php","link":"https:\/\/github.com\/advisories\/GHSA-73gr-r64q-7jh4","cve":"CVE-2026-34364","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:49:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-73gr-r64q-7jh4"}]},{"advisoryId":"PKSA-3yrj-j1ff-gsp4","packageName":"wwbn\/avideo","remoteId":"GHSA-2mg4-pfgx-64cf","title":"AVideo\u0027s WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()","link":"https:\/\/github.com\/advisories\/GHSA-2mg4-pfgx-64cf","cve":"CVE-2026-34362","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:35:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mg4-pfgx-64cf"}]},{"advisoryId":"PKSA-mhr2-p9hx-xy4j","packageName":"wwbn\/avideo","remoteId":"GHSA-wprj-9cvc-5w37","title":"AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records","link":"https:\/\/github.com\/advisories\/GHSA-wprj-9cvc-5w37","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:40:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wprj-9cvc-5w37"}]},{"advisoryId":"PKSA-fw58-yv1p-mjjv","packageName":"wwbn\/avideo","remoteId":"GHSA-2rm7-j397-3fqg","title":"AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-2rm7-j397-3fqg","cve":"CVE-2026-34245","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2rm7-j397-3fqg"}]},{"advisoryId":"PKSA-6jcq-63hk-b922","packageName":"wwbn\/avideo","remoteId":"GHSA-g3hj-mf85-679g","title":"AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications","link":"https:\/\/github.com\/advisories\/GHSA-g3hj-mf85-679g","cve":"CVE-2026-34247","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3hj-mf85-679g"}]},{"advisoryId":"PKSA-37q2-fmsd-htgf","packageName":"wwbn\/avideo","remoteId":"GHSA-f359-r3pv-2phf","title":"AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f359-r3pv-2phf","cve":"CVE-2026-33766","affectedVersions":"\u003C=14.3","source":"GitHub","reportedAt":"2026-03-26 18:10:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f359-r3pv-2phf"}]},{"advisoryId":"PKSA-d7fp-yz92-57bz","packageName":"wwbn\/avideo","remoteId":"GHSA-fj74-qxj7-r3vc","title":"AVideo has SQL Injection via Partial Prepared Statement \u2014 videos_id Concatenated Directly into Query","link":"https:\/\/github.com\/advisories\/GHSA-fj74-qxj7-r3vc","cve":"CVE-2026-33767","affectedVersions":"\u003C26.0","source":"GitHub","reportedAt":"2026-03-26 18:12:33","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fj74-qxj7-r3vc"}]},{"advisoryId":"PKSA-d1c1-62x6-fsdv","packageName":"wwbn\/avideo","remoteId":"GHSA-584p-rpvq-35vf","title":"AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables","link":"https:\/\/github.com\/advisories\/GHSA-584p-rpvq-35vf","cve":"CVE-2026-33770","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:15:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-584p-rpvq-35vf"}]},{"advisoryId":"PKSA-vcf8-yygk-smvm","packageName":"wwbn\/avideo","remoteId":"GHSA-363v-5rh8-23wg","title":"AVideo has Plaintext Video Password Storage","link":"https:\/\/github.com\/advisories\/GHSA-363v-5rh8-23wg","cve":"CVE-2026-33867","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:16:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-363v-5rh8-23wg"}]},{"advisoryId":"PKSA-kzzd-7tpm-2718","packageName":"wwbn\/avideo","remoteId":"GHSA-75qq-68m8-pvfr","title":"AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents","link":"https:\/\/github.com\/advisories\/GHSA-75qq-68m8-pvfr","cve":"CVE-2026-33759","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:05:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-75qq-68m8-pvfr"}]},{"advisoryId":"PKSA-t2zr-g4vs-n5nr","packageName":"wwbn\/avideo","remoteId":"GHSA-j724-5c6c-68g5","title":"AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings","link":"https:\/\/github.com\/advisories\/GHSA-j724-5c6c-68g5","cve":"CVE-2026-33761","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:06:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j724-5c6c-68g5"}]},{"advisoryId":"PKSA-qmkf-gp88-ftk6","packageName":"wwbn\/avideo","remoteId":"GHSA-8prq-2jr2-cm92","title":"AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle","link":"https:\/\/github.com\/advisories\/GHSA-8prq-2jr2-cm92","cve":"CVE-2026-33763","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:07:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8prq-2jr2-cm92"}]},{"advisoryId":"PKSA-ggc8-4vpf-v295","packageName":"wwbn\/avideo","remoteId":"GHSA-g39v-qrj6-jxrh","title":"AVideo: IDOR in AI Plugin Allows Stealing Other Users\u0027 AI-Generated Metadata and Transcriptions","link":"https:\/\/github.com\/advisories\/GHSA-g39v-qrj6-jxrh","cve":"CVE-2026-33764","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:08:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g39v-qrj6-jxrh"}]},{"advisoryId":"PKSA-nk6y-bx1m-kq7t","packageName":"wwbn\/avideo","remoteId":"GHSA-r64r-883r-wcwh","title":"AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment","link":"https:\/\/github.com\/advisories\/GHSA-r64r-883r-wcwh","cve":"CVE-2026-33719","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:55:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r64r-883r-wcwh"}]},{"advisoryId":"PKSA-c9d6-fz2f-92mg","packageName":"wwbn\/avideo","remoteId":"GHSA-ffr8-fxhv-fv8h","title":"AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter","link":"https:\/\/github.com\/advisories\/GHSA-ffr8-fxhv-fv8h","cve":"CVE-2026-33723","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:56:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffr8-fxhv-fv8h"}]},{"advisoryId":"PKSA-7gff-yt7v-8bkx","packageName":"wwbn\/avideo","remoteId":"GHSA-9hv9-gvwm-95f2","title":"AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php","link":"https:\/\/github.com\/advisories\/GHSA-9hv9-gvwm-95f2","cve":"CVE-2026-33716","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:28:21","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9hv9-gvwm-95f2"}]},{"advisoryId":"PKSA-xbpw-5md3-j3nz","packageName":"wwbn\/avideo","remoteId":"GHSA-8wf4-c4x3-h952","title":"AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL","link":"https:\/\/github.com\/advisories\/GHSA-8wf4-c4x3-h952","cve":"CVE-2026-33717","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:28:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8wf4-c4x3-h952"}]},{"advisoryId":"PKSA-9p99-sn38-6cwv","packageName":"wwbn\/avideo","remoteId":"GHSA-3hwv-x8g3-9qpr","title":"AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name","link":"https:\/\/github.com\/advisories\/GHSA-3hwv-x8g3-9qpr","cve":"CVE-2026-33681","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:51:46","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3hwv-x8g3-9qpr"}]},{"advisoryId":"PKSA-cx3j-v85y-y9tv","packageName":"wwbn\/avideo","remoteId":"GHSA-ghx5-7jjg-q2j7","title":"AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field","link":"https:\/\/github.com\/advisories\/GHSA-ghx5-7jjg-q2j7","cve":"CVE-2026-33683","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:52:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ghx5-7jjg-q2j7"}]},{"advisoryId":"PKSA-rhxf-1yfy-x5fd","packageName":"wwbn\/avideo","remoteId":"GHSA-j36m-74g2-7m95","title":"AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data","link":"https:\/\/github.com\/advisories\/GHSA-j36m-74g2-7m95","cve":"CVE-2026-33685","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:52:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j36m-74g2-7m95"}]},{"advisoryId":"PKSA-rmrd-1jny-519s","packageName":"wwbn\/avideo","remoteId":"GHSA-m99f-mmvg-3xmx","title":"AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-m99f-mmvg-3xmx","cve":"CVE-2026-33688","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:53:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m99f-mmvg-3xmx"}]},{"advisoryId":"PKSA-6bhm-ppng-rh7j","packageName":"wwbn\/avideo","remoteId":"GHSA-wxjx-r2j2-96fx","title":"AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin\/Live\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-wxjx-r2j2-96fx","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:53:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wxjx-r2j2-96fx"}]},{"advisoryId":"PKSA-x77f-z8vb-hbfr","packageName":"wwbn\/avideo","remoteId":"GHSA-8p2x-5cpm-qrqw","title":"AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()","link":"https:\/\/github.com\/advisories\/GHSA-8p2x-5cpm-qrqw","cve":"CVE-2026-33690","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:54:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8p2x-5cpm-qrqw"}]},{"advisoryId":"PKSA-m663-qqs4-57t4","packageName":"wwbn\/avideo","remoteId":"GHSA-pvw4-p2jm-chjm","title":"AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()","link":"https:\/\/github.com\/advisories\/GHSA-pvw4-p2jm-chjm","cve":"CVE-2026-33651","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:50:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pvw4-p2jm-chjm"}]},{"advisoryId":"PKSA-sv6m-nx8k-5kz3","packageName":"wwbn\/avideo","remoteId":"GHSA-wxjw-phj6-g75w","title":"AVideo Vulnerable to Remote Code Execution via MIME\/Extension Mismatch in ImageGallery File Upload","link":"https:\/\/github.com\/advisories\/GHSA-wxjw-phj6-g75w","cve":"CVE-2026-33647","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:45:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wxjw-phj6-g75w"}]},{"advisoryId":"PKSA-cpqv-3x62-47s6","packageName":"wwbn\/avideo","remoteId":"GHSA-5m4q-5cvx-36mw","title":"AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path","link":"https:\/\/github.com\/advisories\/GHSA-5m4q-5cvx-36mw","cve":"CVE-2026-33648","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:47:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5m4q-5cvx-36mw"}]},{"advisoryId":"PKSA-nfgn-q1hy-xddr","packageName":"wwbn\/avideo","remoteId":"GHSA-g8x9-7mgh-7cvj","title":"AVideo\u0027s GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification","link":"https:\/\/github.com\/advisories\/GHSA-g8x9-7mgh-7cvj","cve":"CVE-2026-33649","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:48:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g8x9-7mgh-7cvj"}]},{"advisoryId":"PKSA-kbvc-x3nh-bwr5","packageName":"wwbn\/avideo","remoteId":"GHSA-8x77-f38v-4m5j","title":"AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion","link":"https:\/\/github.com\/advisories\/GHSA-8x77-f38v-4m5j","cve":"CVE-2026-33650","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:49:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8x77-f38v-4m5j"}]},{"advisoryId":"PKSA-stv4-sw5c-pp7h","packageName":"wwbn\/avideo","remoteId":"GHSA-mwjc-5j4x-r686","title":"AVideo has an unauthenticated decrypt oracle leaking any ciphertext","link":"https:\/\/github.com\/advisories\/GHSA-mwjc-5j4x-r686","cve":"CVE-2026-33512","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:55:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mwjc-5j4x-r686"}]},{"advisoryId":"PKSA-2x5y-pg7k-8jx1","packageName":"wwbn\/avideo","remoteId":"GHSA-8fw8-q79c-fp9m","title":"AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)","link":"https:\/\/github.com\/advisories\/GHSA-8fw8-q79c-fp9m","cve":"CVE-2026-33513","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:55:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8fw8-q79c-fp9m"}]},{"advisoryId":"PKSA-9rhr-hzp4-skcj","packageName":"wwbn\/avideo","remoteId":"GHSA-hv36-p4w4-6vmj","title":"AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload","link":"https:\/\/github.com\/advisories\/GHSA-hv36-p4w4-6vmj","cve":"CVE-2026-33507","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:47:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hv36-p4w4-6vmj"}]},{"advisoryId":"PKSA-g9zg-y2pv-yf4q","packageName":"wwbn\/avideo","remoteId":"GHSA-7292-w8qp-mhq2","title":"AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php","link":"https:\/\/github.com\/advisories\/GHSA-7292-w8qp-mhq2","cve":"CVE-2026-33499","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:56:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7292-w8qp-mhq2"}]},{"advisoryId":"PKSA-fjmv-8jwk-wtsg","packageName":"wwbn\/avideo","remoteId":"GHSA-72h5-39r7-r26j","title":"AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-72h5-39r7-r26j","cve":"CVE-2026-33500","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:56:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72h5-39r7-r26j"}]},{"advisoryId":"PKSA-93k3-9zdh-zky7","packageName":"wwbn\/avideo","remoteId":"GHSA-96qp-8cmq-jvq8","title":"AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin","link":"https:\/\/github.com\/advisories\/GHSA-96qp-8cmq-jvq8","cve":"CVE-2026-33501","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:57:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-96qp-8cmq-jvq8"}]},{"advisoryId":"PKSA-734r-s438-vkf3","packageName":"wwbn\/avideo","remoteId":"GHSA-3fpm-8rjr-v5mc","title":"AVideo has Unauthenticated SSRF via plugin\/Live\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-3fpm-8rjr-v5mc","cve":"CVE-2026-33502","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:57:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-3fpm-8rjr-v5mc"}]},{"advisoryId":"PKSA-4kfk-t6qg-77z2","packageName":"wwbn\/avideo","remoteId":"GHSA-xggw-g9pm-9qhh","title":"AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin","link":"https:\/\/github.com\/advisories\/GHSA-xggw-g9pm-9qhh","cve":"CVE-2026-33479","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:44:02","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xggw-g9pm-9qhh"}]},{"advisoryId":"PKSA-8d9c-5xxm-8vns","packageName":"wwbn\/avideo","remoteId":"GHSA-p3gr-g84w-g8hh","title":"AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy","link":"https:\/\/github.com\/advisories\/GHSA-p3gr-g84w-g8hh","cve":"CVE-2026-33480","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:44:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p3gr-g84w-g8hh"}]},{"advisoryId":"PKSA-tp22-rjkg-27h5","packageName":"wwbn\/avideo","remoteId":"GHSA-pmj8-r2j7-xg6c","title":"AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()","link":"https:\/\/github.com\/advisories\/GHSA-pmj8-r2j7-xg6c","cve":"CVE-2026-33482","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:46:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pmj8-r2j7-xg6c"}]},{"advisoryId":"PKSA-f4gx-6t2c-nrd6","packageName":"wwbn\/avideo","remoteId":"GHSA-vv7w-qf5c-734w","title":"AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php","link":"https:\/\/github.com\/advisories\/GHSA-vv7w-qf5c-734w","cve":"CVE-2026-33483","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:46:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vv7w-qf5c-734w"}]},{"advisoryId":"PKSA-v7r8-5fwd-x92z","packageName":"wwbn\/avideo","remoteId":"GHSA-8p58-35c3-ccxx","title":"AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter","link":"https:\/\/github.com\/advisories\/GHSA-8p58-35c3-ccxx","cve":"CVE-2026-33485","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:47:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8p58-35c3-ccxx"}]},{"advisoryId":"PKSA-qjdg-5npg-72ng","packageName":"wwbn\/avideo","remoteId":"GHSA-6m5f-j7w2-w953","title":"AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin","link":"https:\/\/github.com\/advisories\/GHSA-6m5f-j7w2-w953","cve":"CVE-2026-33488","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6m5f-j7w2-w953"}]},{"advisoryId":"PKSA-3ybr-q6r1-fnzm","packageName":"wwbn\/avideo","remoteId":"GHSA-x3pr-vrhq-vq43","title":"AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration","link":"https:\/\/github.com\/advisories\/GHSA-x3pr-vrhq-vq43","cve":"CVE-2026-33492","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x3pr-vrhq-vq43"}]},{"advisoryId":"PKSA-28kd-gd4j-w94p","packageName":"wwbn\/avideo","remoteId":"GHSA-83xq-8jxj-4rxm","title":"AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read\/Deletion via fileURI Parameter","link":"https:\/\/github.com\/advisories\/GHSA-83xq-8jxj-4rxm","cve":"CVE-2026-33493","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-83xq-8jxj-4rxm"}]},{"advisoryId":"PKSA-6mc5-gbk2-4jkz","packageName":"wwbn\/avideo","remoteId":"GHSA-4jw9-5hrc-m4j6","title":"AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`","link":"https:\/\/github.com\/advisories\/GHSA-4jw9-5hrc-m4j6","cve":"CVE-2026-33354","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:34:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jw9-5hrc-m4j6"}]},{"advisoryId":"PKSA-zqc4-q9ns-kq82","packageName":"wwbn\/avideo","remoteId":"GHSA-mcj5-6qr4-95fj","title":"AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)","link":"https:\/\/github.com\/advisories\/GHSA-mcj5-6qr4-95fj","cve":"CVE-2026-33352","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:25:53","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-mcj5-6qr4-95fj"}]},{"advisoryId":"PKSA-kz4k-1fdq-4jkn","packageName":"wwbn\/avideo","remoteId":"GHSA-5f7v-4f6g-74rj","title":"AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass","link":"https:\/\/github.com\/advisories\/GHSA-5f7v-4f6g-74rj","cve":"CVE-2026-33351","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:13:26","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-5f7v-4f6g-74rj"}]},{"advisoryId":"PKSA-yh5p-7324-8k1n","packageName":"wwbn\/avideo","remoteId":"GHSA-hj5h-5623-gwhw","title":"AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php","link":"https:\/\/github.com\/advisories\/GHSA-hj5h-5623-gwhw","cve":"CVE-2026-33296","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:25:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hj5h-5623-gwhw"}]},{"advisoryId":"PKSA-qms8-qf5t-6w9q","packageName":"wwbn\/avideo","remoteId":"GHSA-6547-8hrg-c55m","title":"AVideo: IDOR - Any Admin Can Set Another User\u0027s Channel Password via setPassword.json.php","link":"https:\/\/github.com\/advisories\/GHSA-6547-8hrg-c55m","cve":"CVE-2026-33297","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:25:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6547-8hrg-c55m"}]},{"advisoryId":"PKSA-61gg-79td-yp6m","packageName":"wwbn\/avideo","remoteId":"GHSA-xmjm-86qv-g226","title":"AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter","link":"https:\/\/github.com\/advisories\/GHSA-xmjm-86qv-g226","cve":"CVE-2026-33293","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xmjm-86qv-g226"}]},{"advisoryId":"PKSA-69wq-d8c2-6qbn","packageName":"wwbn\/avideo","remoteId":"GHSA-66cw-h2mj-j39p","title":"AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources","link":"https:\/\/github.com\/advisories\/GHSA-66cw-h2mj-j39p","cve":"CVE-2026-33294","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66cw-h2mj-j39p"}]},{"advisoryId":"PKSA-7zcq-fgdd-9176","packageName":"wwbn\/avideo","remoteId":"GHSA-gc3m-4mcr-h3pv","title":"AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php","link":"https:\/\/github.com\/advisories\/GHSA-gc3m-4mcr-h3pv","cve":"CVE-2026-33295","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gc3m-4mcr-h3pv"}]},{"advisoryId":"PKSA-ht27-8rcs-t939","packageName":"wwbn\/avideo","remoteId":"GHSA-pw4v-x838-w5pg","title":"AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private\/Paid Videos","link":"https:\/\/github.com\/advisories\/GHSA-pw4v-x838-w5pg","cve":"CVE-2026-33292","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 16:43:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw4v-x838-w5pg"}]},{"advisoryId":"PKSA-1msk-y5kh-hb4p","packageName":"wwbn\/avideo","remoteId":"GHSA-v467-g7g7-hhfh","title":"AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation","link":"https:\/\/github.com\/advisories\/GHSA-v467-g7g7-hhfh","cve":"CVE-2026-33237","affectedVersions":"\u003C=14.0","source":"GitHub","reportedAt":"2026-03-19 12:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v467-g7g7-hhfh"}]},{"advisoryId":"PKSA-484r-cdwt-2gm4","packageName":"wwbn\/avideo","remoteId":"GHSA-4wmm-6qxj-fpj4","title":"AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-4wmm-6qxj-fpj4","cve":"CVE-2026-33238","affectedVersions":"\u003C=14.0","source":"GitHub","reportedAt":"2026-03-19 12:43:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wmm-6qxj-fpj4"}]},{"advisoryId":"PKSA-5drt-2yg3-m4bb","packageName":"wwbn\/avideo","remoteId":"GHSA-w5ff-2mjc-4phc","title":"AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command","link":"https:\/\/github.com\/advisories\/GHSA-w5ff-2mjc-4phc","cve":"CVE-2026-33319","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:45:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w5ff-2mjc-4phc"}]},{"advisoryId":"PKSA-3whn-q4tm-bwhh","packageName":"wwbn\/avideo","remoteId":"GHSA-5x2w-37xf-7962","title":"AVideo has Unauthenticated PGP Message Decryption via Public Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-5x2w-37xf-7962","cve":null,"affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:46:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5x2w-37xf-7962"}]},{"advisoryId":"PKSA-spwc-tcr7-cpby","packageName":"wwbn\/avideo","remoteId":"GHSA-9x67-f2v7-63rw","title":"AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy","link":"https:\/\/github.com\/advisories\/GHSA-9x67-f2v7-63rw","cve":"CVE-2026-33039","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 20:33:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9x67-f2v7-63rw"}]},{"advisoryId":"PKSA-qj1g-pbwp-h996","packageName":"wwbn\/avideo","remoteId":"GHSA-wfq5-qgqp-hvhv","title":"Unauthenticated Reflected XSS via innerHTML in AVideo","link":"https:\/\/github.com\/advisories\/GHSA-wfq5-qgqp-hvhv","cve":"CVE-2026-33035","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 20:05:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wfq5-qgqp-hvhv"}]},{"advisoryId":"PKSA-pcdx-pg9p-v4gz","packageName":"wwbn\/avideo","remoteId":"GHSA-qc3p-398r-p59j","title":"AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS","link":"https:\/\/github.com\/advisories\/GHSA-qc3p-398r-p59j","cve":"CVE-2026-33043","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:52:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qc3p-398r-p59j"}]},{"advisoryId":"PKSA-3jbs-pwhv-9v32","packageName":"wwbn\/avideo","remoteId":"GHSA-2f9h-23f7-8gcx","title":"AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments","link":"https:\/\/github.com\/advisories\/GHSA-2f9h-23f7-8gcx","cve":"CVE-2026-33038","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:46:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2f9h-23f7-8gcx"}]},{"advisoryId":"PKSA-v5mg-73g8-w2x4","packageName":"wwbn\/avideo","remoteId":"GHSA-px7x-gq96-rmp5","title":"AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php","link":"https:\/\/github.com\/advisories\/GHSA-px7x-gq96-rmp5","cve":"CVE-2026-33041","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:48:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-px7x-gq96-rmp5"}]},{"advisoryId":"PKSA-prng-jvqx-4vkt","packageName":"wwbn\/avideo","remoteId":"GHSA-6w2r-cfpc-23r5","title":"AVideo has Unauthenticated IDOR - Playlist Information Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-6w2r-cfpc-23r5","cve":"CVE-2026-30885","affectedVersions":"\u003C25.0","source":"GitHub","reportedAt":"2026-03-07 02:25:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6w2r-cfpc-23r5"}]},{"advisoryId":"PKSA-876z-dgrg-zwqs","packageName":"wwbn\/avideo","remoteId":"GHSA-xxpw-32hf-q8v9","title":"AVideo: Unauthenticated PHP session store exposed to host network via published memcached port","link":"https:\/\/github.com\/advisories\/GHSA-xxpw-32hf-q8v9","cve":"CVE-2026-29093","affectedVersions":"\u003C=21.0","source":"GitHub","reportedAt":"2026-03-05 01:22:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xxpw-32hf-q8v9"}]},{"advisoryId":"PKSA-jc43-whmg-bn3y","packageName":"wwbn\/avideo","remoteId":"GHSA-9j26-99jh-v26q","title":"WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects\/getImage.php","link":"https:\/\/github.com\/advisories\/GHSA-9j26-99jh-v26q","cve":"CVE-2026-29058","affectedVersions":"\u003C7.0.0","source":"GitHub","reportedAt":"2026-03-03 20:02:40","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9j26-99jh-v26q"}]},{"advisoryId":"PKSA-p5zb-45dv-s5gy","packageName":"wwbn\/avideo","remoteId":"GHSA-v8jw-8w5p-23g3","title":"AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction","link":"https:\/\/github.com\/advisories\/GHSA-v8jw-8w5p-23g3","cve":"CVE-2026-28502","affectedVersions":"\u003C21.0","source":"GitHub","reportedAt":"2026-03-02 20:56:52","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-v8jw-8w5p-23g3"}]},{"advisoryId":"PKSA-xtjn-tvnf-r8sj","packageName":"wwbn\/avideo","remoteId":"GHSA-pv87-r9qf-x56p","title":"AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects\/videos.json.php","link":"https:\/\/github.com\/advisories\/GHSA-pv87-r9qf-x56p","cve":"CVE-2026-28501","affectedVersions":"\u003C=21.0.0","source":"GitHub","reportedAt":"2026-03-02 20:49:43","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-pv87-r9qf-x56p"}]},{"advisoryId":"PKSA-mpqq-rw7h-r6qr","packageName":"wwbn\/avideo","remoteId":"GHSA-h39h-7cvg-q7j6","title":"AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php","link":"https:\/\/github.com\/advisories\/GHSA-h39h-7cvg-q7j6","cve":"CVE-2026-27732","affectedVersions":"\u003C=21.0.0","source":"GitHub","reportedAt":"2026-02-25 18:57:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h39h-7cvg-q7j6"}]},{"advisoryId":"PKSA-zj1v-1r3y-vnpg","packageName":"wwbn\/avideo","remoteId":"GHSA-rcqw-6466-3mv7","title":"AVideo has Stored Cross-Site Scripting via Markdown Comment Injection","link":"https:\/\/github.com\/advisories\/GHSA-rcqw-6466-3mv7","cve":"CVE-2026-27568","affectedVersions":"\u003C21.0","source":"GitHub","reportedAt":"2026-02-20 21:15:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rcqw-6466-3mv7"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-398m-bjsp-p21n","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-mmm5-3g4x-qw39","title":"OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals","link":"https:\/\/github.com\/advisories\/GHSA-mmm5-3g4x-qw39","cve":"CVE-2026-35470","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 21:57:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mmm5-3g4x-qw39"}]},{"advisoryId":"PKSA-dx7q-hp3f-cn12","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-2fr7-cc4f-wh98","title":"OpenSTAManager: SQL Injection via Aggiornamenti Module","link":"https:\/\/github.com\/advisories\/GHSA-2fr7-cc4f-wh98","cve":"CVE-2026-35168","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 03:47:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fr7-cc4f-wh98"}]},{"advisoryId":"PKSA-84pv-3jy7-8y8y","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-3gw8-3mg3-jmpc","title":"OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-3gw8-3mg3-jmpc","cve":"CVE-2026-28805","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3gw8-3mg3-jmpc"}]},{"advisoryId":"PKSA-7wd8-5d3q-gt4k","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-whv5-4q2f-q68g","title":"OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2","link":"https:\/\/github.com\/advisories\/GHSA-whv5-4q2f-q68g","cve":"CVE-2026-29782","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-whv5-4q2f-q68g"}]},{"advisoryId":"PKSA-gkxr-gfn8-3tk2","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-247v-7cw6-q57v","title":"OpenSTAManager affected by unauthenticated privilege escalation via modules\/utenti\/actions.php","link":"https:\/\/github.com\/advisories\/GHSA-247v-7cw6-q57v","cve":"CVE-2026-27012","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-03-03 17:43:49","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-247v-7cw6-q57v"}]},{"advisoryId":"PKSA-xj58-vqx8-fbpq","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-jfgp-g7x7-j25j","title":"OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter","link":"https:\/\/github.com\/advisories\/GHSA-jfgp-g7x7-j25j","cve":"CVE-2026-24415","affectedVersions":"\u003C2.9.8","source":"GitHub","reportedAt":"2026-03-03 17:39:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jfgp-g7x7-j25j"}]},{"advisoryId":"PKSA-h29d-v9rg-p75n","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-4hc4-8599-xh2h","title":"OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service","link":"https:\/\/github.com\/advisories\/GHSA-4hc4-8599-xh2h","cve":"CVE-2026-24417","affectedVersions":"\u003C2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:23:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4hc4-8599-xh2h"}]},{"advisoryId":"PKSA-ff9m-7w2n-x2fw","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-4xwv-49c8-fvhq","title":"OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module","link":"https:\/\/github.com\/advisories\/GHSA-4xwv-49c8-fvhq","cve":"CVE-2026-24418","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:24:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4xwv-49c8-fvhq"}]},{"advisoryId":"PKSA-6h6r-npfh-qb3m","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-4j2x-jh4m-fqv6","title":"OpenSTAManager has a SQL Injection in the Prima Nota  module ","link":"https:\/\/github.com\/advisories\/GHSA-4j2x-jh4m-fqv6","cve":"CVE-2026-24419","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:25:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4j2x-jh4m-fqv6"}]},{"advisoryId":"PKSA-9s5k-763f-q4yd","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-p864-fqgv-92q4","title":"OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module","link":"https:\/\/github.com\/advisories\/GHSA-p864-fqgv-92q4","cve":"CVE-2026-24416","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:19:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p864-fqgv-92q4"}]},{"advisoryId":"PKSA-wvq9-cxvz-jy62","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-qjv8-63xq-gq8m","title":"OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)","link":"https:\/\/github.com\/advisories\/GHSA-qjv8-63xq-gq8m","cve":"CVE-2025-69214","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:04:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qjv8-63xq-gq8m"}]},{"advisoryId":"PKSA-vrdb-wqb7-67h2","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-q6g3-fv43-m2w6","title":"OpenSTAManager has a SQL Injection in Scadenzario Print Template","link":"https:\/\/github.com\/advisories\/GHSA-q6g3-fv43-m2w6","cve":"CVE-2025-69216","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 18:06:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q6g3-fv43-m2w6"}]},{"advisoryId":"PKSA-myj2-kgh7-vymm","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-25fp-8w8p-mx36","title":"OpenSTAManager has an OS Command Injection in P7M File Processing","link":"https:\/\/github.com\/advisories\/GHSA-25fp-8w8p-mx36","cve":"CVE-2025-69212","affectedVersions":"\u003C=2.9.8","source":"GitHub","reportedAt":"2026-02-06 17:59:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-25fp-8w8p-mx36"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-m42v-jjr9-d9jw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vr2g-rhm5-q4jr","title":"CI4MS: Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-vr2g-rhm5-q4jr","cve":"CVE-2026-34989","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-03 04:00:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vr2g-rhm5-q4jr"}]},{"advisoryId":"PKSA-76s3-z1f6-2f6c","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gcfj-cf7j-vwgj","title":"CI4MS: System Settings (Social Media Management) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-gcfj-cf7j-vwgj","cve":"CVE-2026-34561","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:02:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcfj-cf7j-vwgj"}]},{"advisoryId":"PKSA-5wvv-b5q1-7q3y","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v897-c6vq-6cr3","title":"CI4MS: System Settings (Company Information) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v897-c6vq-6cr3","cve":"CVE-2026-34562","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:03:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v897-c6vq-6cr3"}]},{"advisoryId":"PKSA-htcp-qzb1-t2rb","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-85m8-g393-jcxf","title":"CI4MS: Backup Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM Blind XSS","link":"https:\/\/github.com\/advisories\/GHSA-85m8-g393-jcxf","cve":"CVE-2026-34563","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:21","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-85m8-g393-jcxf"}]},{"advisoryId":"PKSA-dscn-pm72-89xm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-g4pp-fhgf-8653","title":"CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-g4pp-fhgf-8653","cve":"CVE-2026-34564","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-g4pp-fhgf-8653"}]},{"advisoryId":"PKSA-xz64-59cc-54j6","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-xgh5-w62m-8mpr","title":"CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-xgh5-w62m-8mpr","cve":"CVE-2026-34565","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:05:45","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xgh5-w62m-8mpr"}]},{"advisoryId":"PKSA-xqh9-kym3-gzkm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-458r-h248-29c5","title":"CI4MS: Pages Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-458r-h248-29c5","cve":"CVE-2026-34566","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:28","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-458r-h248-29c5"}]},{"advisoryId":"PKSA-485k-t9tj-8z9f","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r33w-c82v-x5v7","title":"CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r33w-c82v-x5v7","cve":"CVE-2026-34567","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r33w-c82v-x5v7"}]},{"advisoryId":"PKSA-vbz6-f418-8p15","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x7wh-g25g-53vg","title":"CI4MS: Blogs Posts Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-x7wh-g25g-53vg","cve":"CVE-2026-34568","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:13","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-x7wh-g25g-53vg"}]},{"advisoryId":"PKSA-418j-5ftc-hsbw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fhrf-q333-82fm","title":"CI4MS: Blogs Categories Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-fhrf-q333-82fm","cve":"CVE-2026-34569","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fhrf-q333-82fm"}]},{"advisoryId":"PKSA-xc2p-nr46-tjxw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4vxv-4xq4-p84h","title":"CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-4vxv-4xq4-p84h","cve":"CVE-2026-34570","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:08:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4vxv-4xq4-p84h"}]},{"advisoryId":"PKSA-vgkt-cmh2-qyjg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fc4p-p49v-r948","title":"CI4MS: Stored Cross\u2011Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise","link":"https:\/\/github.com\/advisories\/GHSA-fc4p-p49v-r948","cve":"CVE-2026-34571","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:03","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fc4p-p49v-r948"}]},{"advisoryId":"PKSA-srvq-v3bs-mj79","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8fq3-c5w3-pj3q","title":"CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-8fq3-c5w3-pj3q","cve":"CVE-2026-34572","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8fq3-c5w3-pj3q"}]},{"advisoryId":"PKSA-vjzx-2b18-dktw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4333-387x-w245","title":"CI4MS: Blogs Tags Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-4333-387x-w245","cve":"CVE-2026-34559","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:53:01","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-4333-387x-w245"}]},{"advisoryId":"PKSA-9k1p-9kvd-d2db","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r4v5-rwr2-q7r4","title":"CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r4v5-rwr2-q7r4","cve":"CVE-2026-34560","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:54:27","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r4v5-rwr2-q7r4"}]},{"advisoryId":"PKSA-rqgq-p6xv-4qz8","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-rpjr-985c-qhvm","title":"CI4MS: Permissions Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-rpjr-985c-qhvm","cve":"CVE-2026-34557","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:10:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-rpjr-985c-qhvm"}]},{"advisoryId":"PKSA-r2q1-2d2k-3p65","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v77r-xg3p-75g7","title":"CI4MS: Methods Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v77r-xg3p-75g7","cve":"CVE-2026-34558","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:09:24","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-v77r-xg3p-75g7"}]},{"advisoryId":"PKSA-3cpq-nyc1-zgst","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-66m2-v9v9-95c3","title":"ci4-cms-erp\/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-66m2-v9v9-95c3","cve":"CVE-2026-27599","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-03-30 16:19:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66m2-v9v9-95c3"}]}],"auth0\/login":[{"advisoryId":"PKSA-9fpd-p7cq-9hfg","packageName":"auth0\/login","remoteId":"GHSA-fmg6-246m-9g2v","title":"Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-fmg6-246m-9g2v","cve":null,"affectedVersions":"\u003E=7.0.0,\u003C=7.20.0","source":"GitHub","reportedAt":"2026-04-03 03:41:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fmg6-246m-9g2v"}]}],"auth0\/wordpress":[{"advisoryId":"PKSA-rbsn-2z23-mspc","packageName":"auth0\/wordpress","remoteId":"GHSA-vfpx-q664-h93m","title":"Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-vfpx-q664-h93m","cve":null,"affectedVersions":"\u003E=5.0.0-BETA0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-03 03:43:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfpx-q664-h93m"}]}],"auth0\/symfony":[{"advisoryId":"PKSA-kmxg-njz7-dx5f","packageName":"auth0\/symfony","remoteId":"GHSA-ghc5-95c2-vwcv","title":"Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-ghc5-95c2-vwcv","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C=5.7.0","source":"GitHub","reportedAt":"2026-04-03 03:44:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghc5-95c2-vwcv"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-fk9h-qz7y-fk1q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gcp9-5jc8-976x","title":"phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-gcp9-5jc8-976x","cve":"CVE-2026-34973","affectedVersions":"\u003C4.1.1","source":"GitHub","reportedAt":"2026-04-01 23:41:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcp9-5jc8-976x"}]},{"advisoryId":"PKSA-yy2b-x6vy-wsx2","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-5crx-pfhq-4hgg","title":"phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation","link":"https:\/\/github.com\/advisories\/GHSA-5crx-pfhq-4hgg","cve":"CVE-2026-34974","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 23:42:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5crx-pfhq-4hgg"}]},{"advisoryId":"PKSA-t2yv-wns1-2p5c","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]},{"advisoryId":"PKSA-y9f6-42c9-xggs","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-w22q-m2fm-x9f4","title":"phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-w22q-m2fm-x9f4","cve":"CVE-2026-27836","affectedVersions":"\u003C4.0.18","source":"GitHub","reportedAt":"2026-02-27 21:01:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w22q-m2fm-x9f4"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-n57d-sn2t-c46g","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-38m8-xrfj-v38x","title":"phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController","link":"https:\/\/github.com\/advisories\/GHSA-38m8-xrfj-v38x","cve":"CVE-2026-34728","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-38m8-xrfj-v38x"}]},{"advisoryId":"PKSA-yq8b-v8fg-rvf8","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-cv2g-8cj8-vgc7","title":"phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()","link":"https:\/\/github.com\/advisories\/GHSA-cv2g-8cj8-vgc7","cve":"CVE-2026-34729","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:31:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cv2g-8cj8-vgc7"}]},{"advisoryId":"PKSA-25jh-4r4k-gpj5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]}],"auth0\/auth0-php":[{"advisoryId":"PKSA-3nzc-cgjr-2gwf","packageName":"auth0\/auth0-php","remoteId":"GHSA-w3wc-44p4-m4j7","title":"Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-w3wc-44p4-m4j7","cve":"CVE-2026-34236","affectedVersions":"\u003E=8.0.0,\u003C=8.18.0","source":"GitHub","reportedAt":"2026-04-01 20:29:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w3wc-44p4-m4j7"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-v42k-yy3p-gtyh","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-5724-x3rh-5qqq","title":"YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities","link":"https:\/\/github.com\/advisories\/GHSA-5724-x3rh-5qqq","cve":null,"affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:24:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5724-x3rh-5qqq"}]},{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistant Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-xdc9-2g6y-xpdf","packageName":"admidio\/admidio","remoteId":"GHSA-7fh7-8xqm-3g88","title":"Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess","link":"https:\/\/github.com\/advisories\/GHSA-7fh7-8xqm-3g88","cve":"CVE-2026-34381","affectedVersions":"\u003E=5.0.0,\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:10:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7fh7-8xqm-3g88"}]},{"advisoryId":"PKSA-rjbb-v642-bmj1","packageName":"admidio\/admidio","remoteId":"GHSA-g3mx-8jm6-rc85","title":"Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php","link":"https:\/\/github.com\/advisories\/GHSA-g3mx-8jm6-rc85","cve":"CVE-2026-34382","affectedVersions":"\u003E=5.0.0,\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:10:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3mx-8jm6-rc85"}]},{"advisoryId":"PKSA-rs6z-52fv-dzjt","packageName":"admidio\/admidio","remoteId":"GHSA-ph84-r98x-2j22","title":"Admidio has Missing CSRF Protection on Registration Approval Actions","link":"https:\/\/github.com\/advisories\/GHSA-ph84-r98x-2j22","cve":"CVE-2026-34384","affectedVersions":"\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:11:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ph84-r98x-2j22"}]},{"advisoryId":"PKSA-ksvx-vqkf-t9m4","packageName":"admidio\/admidio","remoteId":"GHSA-4rwm-c5mj-wh7x","title":"Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-4rwm-c5mj-wh7x","cve":"CVE-2026-34383","affectedVersions":"\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:11:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4rwm-c5mj-wh7x"}]},{"advisoryId":"PKSA-z3z9-x952-96sj","packageName":"admidio\/admidio","remoteId":"GHSA-95cq-p4w2-32w5","title":"File Upload(RCE) Vulnerability in admidio","link":"https:\/\/github.com\/advisories\/GHSA-95cq-p4w2-32w5","cve":"CVE-2026-32756","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:16:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-95cq-p4w2-32w5"}]},{"advisoryId":"PKSA-1wgg-nst3-ctpz","packageName":"admidio\/admidio","remoteId":"GHSA-wwg8-6ffr-h4q2","title":"Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions","link":"https:\/\/github.com\/advisories\/GHSA-wwg8-6ffr-h4q2","cve":"CVE-2026-32816","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wwg8-6ffr-h4q2"}]},{"advisoryId":"PKSA-ym3s-c4g7-mjjc","packageName":"admidio\/admidio","remoteId":"GHSA-h8gr-qwr6-m9gx","title":"Admidio is Missing CSRF Protection on Role Membership Date Changes","link":"https:\/\/github.com\/advisories\/GHSA-h8gr-qwr6-m9gx","cve":"CVE-2026-32755","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h8gr-qwr6-m9gx"}]},{"advisoryId":"PKSA-k5pv-h718-ynrx","packageName":"admidio\/admidio","remoteId":"GHSA-6j68-gcc3-mq73","title":"Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-6j68-gcc3-mq73","cve":"CVE-2026-32812","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6j68-gcc3-mq73"}]},{"advisoryId":"PKSA-stt3-wv6m-657m","packageName":"admidio\/admidio","remoteId":"GHSA-rmpj-3x5m-9m5f","title":"Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion","link":"https:\/\/github.com\/advisories\/GHSA-rmpj-3x5m-9m5f","cve":"CVE-2026-32817","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:10","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-rmpj-3x5m-9m5f"}]},{"advisoryId":"PKSA-sgr9-nmmb-pbwy","packageName":"admidio\/admidio","remoteId":"GHSA-4wr4-f2qf-x5wj","title":"Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection","link":"https:\/\/github.com\/advisories\/GHSA-4wr4-f2qf-x5wj","cve":"CVE-2026-32757","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wr4-f2qf-x5wj"}]},{"advisoryId":"PKSA-vs7x-4q3q-rbsp","packageName":"admidio\/admidio","remoteId":"GHSA-g375-5wmp-xr78","title":"Admidio is Missing Authorization on Forum Topic and Post Deletion","link":"https:\/\/github.com\/advisories\/GHSA-g375-5wmp-xr78","cve":"CVE-2026-32818","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g375-5wmp-xr78"}]},{"advisoryId":"PKSA-gmjw-r3kp-z9vp","packageName":"admidio\/admidio","remoteId":"GHSA-3x67-4c2c-w45m","title":"Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)","link":"https:\/\/github.com\/advisories\/GHSA-3x67-4c2c-w45m","cve":"CVE-2026-32813","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:19:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3x67-4c2c-w45m"}]},{"advisoryId":"PKSA-m5mq-p62f-xpq3","packageName":"admidio\/admidio","remoteId":"GHSA-7pfv-hr63-h7cw","title":"Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter","link":"https:\/\/github.com\/advisories\/GHSA-7pfv-hr63-h7cw","cve":"CVE-2026-30927","affectedVersions":"\u003C5.0.6","source":"GitHub","reportedAt":"2026-03-09 19:45:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7pfv-hr63-h7cw"}]}],"j0k3r\/graby":[{"advisoryId":"PKSA-j5hk-b83d-1p4h","packageName":"j0k3r\/graby","remoteId":"GHSA-3h6j-9x8m-rg3g","title":"Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config","link":"https:\/\/github.com\/advisories\/GHSA-3h6j-9x8m-rg3g","cve":null,"affectedVersions":"\u003C=2.5.0","source":"GitHub","reportedAt":"2026-03-31 23:12:36","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3h6j-9x8m-rg3g"}]}],"baserproject\/basercms":[{"advisoryId":"PKSA-hd1x-n8tw-4v66","packageName":"baserproject\/basercms","remoteId":"GHSA-677c-xv24-crgx","title":"baserCMS is Vulnerable to Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-677c-xv24-crgx","cve":"CVE-2026-32734","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:52:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-677c-xv24-crgx"}]},{"advisoryId":"PKSA-kcyg-5jhp-1x3h","packageName":"baserproject\/basercms","remoteId":"GHSA-jmq3-x8q7-j9qm","title":"baserCMS has a cross-site scripting vulnerability in blog posts","link":"https:\/\/github.com\/advisories\/GHSA-jmq3-x8q7-j9qm","cve":"CVE-2026-30879","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jmq3-x8q7-j9qm"}]},{"advisoryId":"PKSA-9wbk-k4bx-zvqq","packageName":"baserproject\/basercms","remoteId":"GHSA-6hpg-8rx3-cwgv","title":"baserCMS has OS command injection vulnerability in installer","link":"https:\/\/github.com\/advisories\/GHSA-6hpg-8rx3-cwgv","cve":"CVE-2026-30880","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:31","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-6hpg-8rx3-cwgv"}]},{"advisoryId":"PKSA-6jcy-61hj-18tr","packageName":"baserproject\/basercms","remoteId":"GHSA-c5c6-37vq-pjcq","title":"baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API","link":"https:\/\/github.com\/advisories\/GHSA-c5c6-37vq-pjcq","cve":"CVE-2026-30940","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:47:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c5c6-37vq-pjcq"}]},{"advisoryId":"PKSA-1768-n8q1-3816","packageName":"baserproject\/basercms","remoteId":"GHSA-vh89-rjph-2g7p","title":"baserCMS has an SQL injection vulnerability in its blog post functionality","link":"https:\/\/github.com\/advisories\/GHSA-vh89-rjph-2g7p","cve":"CVE-2026-27697","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vh89-rjph-2g7p"}]},{"advisoryId":"PKSA-mr15-f3n3-4vy5","packageName":"baserproject\/basercms","remoteId":"GHSA-m9g7-rgfc-jcm7","title":"baserCMS Update Functionality Vulnerable to OS Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-m9g7-rgfc-jcm7","cve":"CVE-2026-30877","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:47","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-m9g7-rgfc-jcm7"}]},{"advisoryId":"PKSA-ztxq-vhtb-jhvy","packageName":"baserproject\/basercms","remoteId":"GHSA-8cr7-r8qw-gp3c","title":"baserCMS has Mail Form Acceptance Bypass via Public API","link":"https:\/\/github.com\/advisories\/GHSA-8cr7-r8qw-gp3c","cve":"CVE-2026-30878","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:36:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8cr7-r8qw-gp3c"}]},{"advisoryId":"PKSA-mrz2-4hdf-297k","packageName":"baserproject\/basercms","remoteId":"GHSA-hv78-cwp4-8r7r","title":"baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-hv78-cwp4-8r7r","cve":"CVE-2025-32957","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:22:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hv78-cwp4-8r7r"}]},{"advisoryId":"PKSA-xyh3-vpd8-cdnh","packageName":"baserproject\/basercms","remoteId":"GHSA-qxmc-6f24-g86g","title":"baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-qxmc-6f24-g86g","cve":"CVE-2026-21861","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:27:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-qxmc-6f24-g86g"}]}],"sulu\/sulu":[{"advisoryId":"PKSA-s8fv-tzzv-5y3k","packageName":"sulu\/sulu","remoteId":"GHSA-6h7h-m7p5-hjqp","title":"Sulu checks fix permissions for subentities endpoints","link":"https:\/\/github.com\/advisories\/GHSA-6h7h-m7p5-hjqp","cve":"CVE-2026-34372","affectedVersions":"\u003E=3.0.0,\u003C3.0.5|\u003E=1.0.0,\u003C2.6.22","source":"GitHub","reportedAt":"2026-03-30 18:04:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6h7h-m7p5-hjqp"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-nqgv-t4m1-732c","packageName":"getkirby\/cms","remoteId":"GHSA-cw7v-45wm-mcf2","title":"Kirby CMS has Persistent DoS via Malformed Image Upload","link":"https:\/\/github.com\/advisories\/GHSA-cw7v-45wm-mcf2","cve":"CVE-2026-29905","affectedVersions":"\u003C5.2.0-rc.1","source":"GitHub","reportedAt":"2026-03-27 22:21:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cw7v-45wm-mcf2"}]}],"aws\/aws-sdk-php":[{"advisoryId":"PKSA-4t1p-xpk2-nsss","packageName":"aws\/aws-sdk-php","remoteId":"GHSA-27qh-8cxx-2cr5","title":"AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters","link":"https:\/\/github.com\/advisories\/GHSA-27qh-8cxx-2cr5","cve":null,"affectedVersions":"\u003E=3.11.7,\u003C=3.371.3","source":"GitHub","reportedAt":"2026-03-27 19:54:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-27qh-8cxx-2cr5"}]}],"saloonphp\/saloon":[{"advisoryId":"PKSA-xnj5-w74d-6wmz","packageName":"saloonphp\/saloon","remoteId":"GHSA-rf88-776r-rcq9","title":"Saloon has insecure deserialization in AccessTokenAuthenticator","link":"https:\/\/github.com\/advisories\/GHSA-rf88-776r-rcq9","cve":"CVE-2026-33942","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-27 18:33:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rf88-776r-rcq9"}]},{"advisoryId":"PKSA-5szq-gvrg-ttfq","packageName":"saloonphp\/saloon","remoteId":"GHSA-c83f-3xp6-hfcp","title":"Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL","link":"https:\/\/github.com\/advisories\/GHSA-c83f-3xp6-hfcp","cve":"CVE-2026-33182","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-25 22:00:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c83f-3xp6-hfcp"}]},{"advisoryId":"PKSA-rnpm-45mg-w6ht","packageName":"saloonphp\/saloon","remoteId":"GHSA-f7xc-5852-fj99","title":"Saloon has a Fixture Name Path Traversal Vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-f7xc-5852-fj99","cve":"CVE-2026-33183","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-25 22:00:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7xc-5852-fj99"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-bc6q-cg7z-6rnf","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-2mfj-r695-5h9r","title":"Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php ","link":"https:\/\/github.com\/advisories\/GHSA-2mfj-r695-5h9r","cve":"CVE-2026-34036","affectedVersions":"\u003C=22.0.4","source":"GitHub","reportedAt":"2026-03-27 18:04:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mfj-r695-5h9r"}]}],"hybridauth\/hybridauth":[{"advisoryId":"PKSA-27jb-7jhc-ynjm","packageName":"hybridauth\/hybridauth","remoteId":"GHSA-r3hf-q3mf-7h6w","title":"HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client","link":"https:\/\/github.com\/advisories\/GHSA-r3hf-q3mf-7h6w","cve":"CVE-2026-4587","affectedVersions":"\u003C=3.12.2","source":"GitHub","reportedAt":"2026-03-23 15:30:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r3hf-q3mf-7h6w"}]}],"miraheze\/ts-portal":[{"advisoryId":"PKSA-7xkw-5f95-g3th","packageName":"miraheze\/ts-portal","remoteId":"GHSA-f346-8rp3-4h9h","title":"TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service","link":"https:\/\/github.com\/advisories\/GHSA-f346-8rp3-4h9h","cve":"CVE-2026-33541","affectedVersions":"\u003C=33","source":"GitHub","reportedAt":"2026-03-27 15:42:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f346-8rp3-4h9h"}]},{"advisoryId":"PKSA-95py-dkb3-3t1y","packageName":"miraheze\/ts-portal","remoteId":"GHSA-gfhq-7499-f3f2","title":"TSPortal: Any user can forge self-deletion requests for any account","link":"https:\/\/github.com\/advisories\/GHSA-gfhq-7499-f3f2","cve":"CVE-2026-29788","affectedVersions":"\u003C=29","source":"GitHub","reportedAt":"2026-03-27 15:37:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gfhq-7499-f3f2"}]}],"statamic\/cms":[{"advisoryId":"PKSA-8f4x-d8sb-16sq","packageName":"statamic\/cms","remoteId":"GHSA-cvh3-23vq-w7h4","title":"Statamic\u0027s Markdown preview endpoint exposes sensitive user data","link":"https:\/\/github.com\/advisories\/GHSA-cvh3-23vq-w7h4","cve":"CVE-2026-33882","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:03:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvh3-23vq-w7h4"}]},{"advisoryId":"PKSA-ffqw-wkbr-m6bg","packageName":"statamic\/cms","remoteId":"GHSA-3jg4-p23x-p4qx","title":"Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag","link":"https:\/\/github.com\/advisories\/GHSA-3jg4-p23x-p4qx","cve":"CVE-2026-33883","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3jg4-p23x-p4qx"}]},{"advisoryId":"PKSA-tg1h-vfwx-wzp9","packageName":"statamic\/cms","remoteId":"GHSA-8vwx-ccf6-5wg2","title":"Statamic\u0027s live preview token bypasses content protection for unrelated entries","link":"https:\/\/github.com\/advisories\/GHSA-8vwx-ccf6-5wg2","cve":"CVE-2026-33884","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8vwx-ccf6-5wg2"}]},{"advisoryId":"PKSA-3yh1-q236-qg5b","packageName":"statamic\/cms","remoteId":"GHSA-7f74-7q5w-hj4r","title":"Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential","link":"https:\/\/github.com\/advisories\/GHSA-7f74-7q5w-hj4r","cve":"CVE-2026-33885","affectedVersions":"\u003E=6.0.0.alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7f74-7q5w-hj4r"}]},{"advisoryId":"PKSA-74j5-mc2z-3jj1","packageName":"statamic\/cms","remoteId":"GHSA-gcqf-5x9f-hq7f","title":"Statamic\u0027s sensitive configuration values are exposed to content editors via Antlers-enabled fields","link":"https:\/\/github.com\/advisories\/GHSA-gcqf-5x9f-hq7f","cve":"CVE-2026-33886","affectedVersions":"\u003E=6.5.0,\u003C6.7.2|\u003E=5.73.12,\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:06:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcqf-5x9f-hq7f"}]},{"advisoryId":"PKSA-yd5q-tqxd-dxfr","packageName":"statamic\/cms","remoteId":"GHSA-4hp7-3wxg-cv9q","title":"Statamic allows unauthorized content access through missing authorization in its revision controllers ","link":"https:\/\/github.com\/advisories\/GHSA-4hp7-3wxg-cv9q","cve":"CVE-2026-33887","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:07:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4hp7-3wxg-cv9q"}]},{"advisoryId":"PKSA-4mnq-vkqt-4wqf","packageName":"statamic\/cms","remoteId":"GHSA-qm7r-wwq7-6f85","title":"Statamic has a path traversal in file dictionary fieldtype","link":"https:\/\/github.com\/advisories\/GHSA-qm7r-wwq7-6f85","cve":"CVE-2026-33171","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 20:00:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qm7r-wwq7-6f85"}]},{"advisoryId":"PKSA-ymb8-dx7z-7137","packageName":"statamic\/cms","remoteId":"GHSA-wh3h-gvc4-cc2g","title":"Statamic is missing authorization check on taxonomy term creation via fieldtype","link":"https:\/\/github.com\/advisories\/GHSA-wh3h-gvc4-cc2g","cve":"CVE-2026-33177","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 20:00:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wh3h-gvc4-cc2g"}]},{"advisoryId":"PKSA-8wnz-z9p8-kd44","packageName":"statamic\/cms","remoteId":"GHSA-7rcv-55mj-chg7","title":"Statamic has Stored XSS via SVG Sanitization Bypass","link":"https:\/\/github.com\/advisories\/GHSA-7rcv-55mj-chg7","cve":"CVE-2026-33172","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 19:54:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7rcv-55mj-chg7"}]},{"advisoryId":"PKSA-thnk-qh3m-ttzb","packageName":"statamic\/cms","remoteId":"GHSA-hcch-w73c-jp4m","title":"Statamic vulnerable to privilege escalation via stored cross-site scripting","link":"https:\/\/github.com\/advisories\/GHSA-hcch-w73c-jp4m","cve":"CVE-2026-32612","affectedVersions":"\u003E=6.0.0,\u003C6.6.2","source":"GitHub","reportedAt":"2026-03-13 20:50:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hcch-w73c-jp4m"}]},{"advisoryId":"PKSA-n7ys-rxzm-bn18","packageName":"statamic\/cms","remoteId":"GHSA-cwpp-325q-2cvp","title":"Statamic Vulnerable to Server-Side Request Forgery via Glide","link":"https:\/\/github.com\/advisories\/GHSA-cwpp-325q-2cvp","cve":"CVE-2026-28423","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.4.0|\u003C5.73.11","source":"GitHub","reportedAt":"2026-03-01 01:30:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cwpp-325q-2cvp"}]},{"advisoryId":"PKSA-hycr-3628-cp88","packageName":"statamic\/cms","remoteId":"GHSA-w878-f8c6-7r63","title":"Statamic\u0027s missing authorization allows access to email addresses","link":"https:\/\/github.com\/advisories\/GHSA-w878-f8c6-7r63","cve":"CVE-2026-28424","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.4.0|\u003C5.73.11","source":"GitHub","reportedAt":"2026-03-01 01:30:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w878-f8c6-7r63"}]},{"advisoryId":"PKSA-skzr-by55-tmc5","packageName":"statamic\/cms","remoteId":"GHSA-cpv7-q2wx-m8rw","title":"Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs","link":"https:\/\/github.com\/advisories\/GHSA-cpv7-q2wx-m8rw","cve":"CVE-2026-28425","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-01 01:30:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cpv7-q2wx-m8rw"}]},{"advisoryId":"PKSA-81wb-3yhb-txs4","packageName":"statamic\/cms","remoteId":"GHSA-5vrj-wf7v-5wr7","title":"Statamic vulnerable to privilege escalation via stored cross-site scripting","link":"https:\/\/github.com\/advisories\/GHSA-5vrj-wf7v-5wr7","cve":"CVE-2026-28426","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.4.0|\u003C5.73.11","source":"GitHub","reportedAt":"2026-03-01 01:31:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5vrj-wf7v-5wr7"}]},{"advisoryId":"PKSA-7n8y-6n2j-9v3z","packageName":"statamic\/cms","remoteId":"GHSA-rw9x-pxqx-q789","title":"Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass","link":"https:\/\/github.com\/advisories\/GHSA-rw9x-pxqx-q789","cve":"CVE-2026-27939","affectedVersions":"\u003E=6.0.0,\u003C6.4.0","source":"GitHub","reportedAt":"2026-02-27 21:35:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rw9x-pxqx-q789"}]},{"advisoryId":"PKSA-w3y4-x9d3-9t28","packageName":"statamic\/cms","remoteId":"GHSA-jxq9-79vj-rgvw","title":"Statamic is vulnerable to account takeover via password reset link injection","link":"https:\/\/github.com\/advisories\/GHSA-jxq9-79vj-rgvw","cve":"CVE-2026-27593","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.1|\u003C5.73.10","source":"GitHub","reportedAt":"2026-02-24 21:09:23","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-jxq9-79vj-rgvw"}]},{"advisoryId":"PKSA-vfrr-bp4n-314v","packageName":"statamic\/cms","remoteId":"GHSA-8r7r-f4gm-wcpq","title":"Statamic affected by privilege escalation via stored cross-site scripting","link":"https:\/\/github.com\/advisories\/GHSA-8r7r-f4gm-wcpq","cve":"CVE-2026-27196","affectedVersions":"\u003C5.73.9|\u003E=6.0.0-alpha.1,\u003C6.3.2","source":"GitHub","reportedAt":"2026-02-19 20:30:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8r7r-f4gm-wcpq"}]},{"advisoryId":"PKSA-fst8-xgkz-31tn","packageName":"statamic\/cms","remoteId":"GHSA-ff9r-ww9c-43x8","title":"Statamic CMS vulnerable to privilege escalation via stored cross-site scripting","link":"https:\/\/github.com\/advisories\/GHSA-ff9r-ww9c-43x8","cve":"CVE-2026-25759","affectedVersions":"\u003E=6.0.0,\u003C6.2.3","source":"GitHub","reportedAt":"2026-02-11 18:17:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ff9r-ww9c-43x8"}]},{"advisoryId":"PKSA-nr63-r5tp-xby1","packageName":"statamic\/cms","remoteId":"GHSA-gwmx-9gcj-332h","title":"Statamic CMS\u0027s missing authorization allows access to assets","link":"https:\/\/github.com\/advisories\/GHSA-gwmx-9gcj-332h","cve":"CVE-2026-25633","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.2.5|\u003C5.73.6","source":"GitHub","reportedAt":"2026-02-11 16:53:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gwmx-9gcj-332h"}]}],"concrete5\/concrete5":[{"advisoryId":"PKSA-xvm3-fqgr-dzxw","packageName":"concrete5\/concrete5","remoteId":"GHSA-p68c-rmfh-j48h","title":"ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads","link":"https:\/\/github.com\/advisories\/GHSA-p68c-rmfh-j48h","cve":"CVE-2026-30662","affectedVersions":"\u003C=9.4.7","source":"GitHub","reportedAt":"2026-03-24 15:30:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p68c-rmfh-j48h"}]},{"advisoryId":"PKSA-k8s6-ntjk-g2wy","packageName":"concrete5\/concrete5","remoteId":"GHSA-f4vq-pj32-gr4q","title":"Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-f4vq-pj32-gr4q","cve":"CVE-2026-3241","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f4vq-pj32-gr4q"}]},{"advisoryId":"PKSA-nnjv-c4gq-wny8","packageName":"concrete5\/concrete5","remoteId":"GHSA-w9qg-chfh-g3q9","title":"Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-w9qg-chfh-g3q9","cve":"CVE-2026-3242","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w9qg-chfh-g3q9"}]},{"advisoryId":"PKSA-79x2-hpny-rxg9","packageName":"concrete5\/concrete5","remoteId":"GHSA-gj26-w59c-29mf","title":"Concrete CMS vulnerable to\u00a0Remote Code Execution by\u00a0stored PHP object injection","link":"https:\/\/github.com\/advisories\/GHSA-gj26-w59c-29mf","cve":"CVE-2026-3452","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gj26-w59c-29mf"}]},{"advisoryId":"PKSA-r7c6-pnck-sspr","packageName":"concrete5\/concrete5","remoteId":"GHSA-mm5f-5rqw-574f","title":"Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-mm5f-5rqw-574f","cve":"CVE-2026-3244","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mm5f-5rqw-574f"}]},{"advisoryId":"PKSA-46yc-bd63-xkv6","packageName":"concrete5\/concrete5","remoteId":"GHSA-6mxw-2vhf-42g5","title":"Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)","link":"https:\/\/github.com\/advisories\/GHSA-6mxw-2vhf-42g5","cve":"CVE-2026-2994","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:34","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6mxw-2vhf-42g5"}]},{"advisoryId":"PKSA-gwgb-qhcr-dkk9","packageName":"concrete5\/concrete5","remoteId":"GHSA-45fj-fvmm-xcc5","title":"Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-45fj-fvmm-xcc5","cve":"CVE-2026-3240","affectedVersions":"\u003C9.4.8","source":"GitHub","reportedAt":"2026-03-04 03:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-45fj-fvmm-xcc5"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-crbw-6n6w-1qmb","packageName":"librenms\/librenms","remoteId":"GHSA-pr3g-phhr-h8fh","title":"LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write","link":"https:\/\/github.com\/advisories\/GHSA-pr3g-phhr-h8fh","cve":null,"affectedVersions":"\u003E=1.48,\u003C26.3.0","source":"GitHub","reportedAt":"2026-03-26 18:04:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr3g-phhr-h8fh"}]},{"advisoryId":"PKSA-rjmn-cvhz-y4dy","packageName":"librenms\/librenms","remoteId":"GHSA-h3rv-q4rq-pqcv","title":"LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.","link":"https:\/\/github.com\/advisories\/GHSA-h3rv-q4rq-pqcv","cve":"CVE-2026-26988","affectedVersions":"\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:30:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h3rv-q4rq-pqcv"}]},{"advisoryId":"PKSA-p35m-1xws-mn72","packageName":"librenms\/librenms","remoteId":"GHSA-6xmx-xr9p-58p7","title":"LibreNMS has a Stored XSS in Alert Rule","link":"https:\/\/github.com\/advisories\/GHSA-6xmx-xr9p-58p7","cve":"CVE-2026-26989","affectedVersions":"\u003C=25.12.0","source":"GitHub","reportedAt":"2026-02-18 22:30:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6xmx-xr9p-58p7"}]},{"advisoryId":"PKSA-fgg9-gkd1-czx2","packageName":"librenms\/librenms","remoteId":"GHSA-79q9-wc6p-cf92","title":"LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php","link":"https:\/\/github.com\/advisories\/GHSA-79q9-wc6p-cf92","cve":"CVE-2026-26990","affectedVersions":"\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:31:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-79q9-wc6p-cf92"}]},{"advisoryId":"PKSA-8m8q-njcw-35gd","packageName":"librenms\/librenms","remoteId":"GHSA-gqx7-99jw-6fpr","title":"LibreNMS affected by reflected xss via email field ","link":"https:\/\/github.com\/advisories\/GHSA-gqx7-99jw-6fpr","cve":"CVE-2026-26987","affectedVersions":"\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:07:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gqx7-99jw-6fpr"}]},{"advisoryId":"PKSA-5ndn-cv3t-wdqt","packageName":"librenms\/librenms","remoteId":"GHSA-5pqf-54qp-32wx","title":"LibreNMS \/device-groups name Stored Cross-Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-5pqf-54qp-32wx","cve":"CVE-2026-26991","affectedVersions":"\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:07:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5pqf-54qp-32wx"}]},{"advisoryId":"PKSA-zkdz-sv4x-6wvp","packageName":"librenms\/librenms","remoteId":"GHSA-93fx-g747-695x","title":"LibreNMS \/port-groups name Stored Cross-Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-93fx-g747-695x","cve":"CVE-2026-26992","affectedVersions":"\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:07:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93fx-g747-695x"}]},{"advisoryId":"PKSA-vfym-rfx7-wjpv","packageName":"librenms\/librenms","remoteId":"GHSA-fqx6-693c-f55g","title":"LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()","link":"https:\/\/github.com\/advisories\/GHSA-fqx6-693c-f55g","cve":"CVE-2026-27016","affectedVersions":"\u003E=24.10.0,\u003C26.2.0","source":"GitHub","reportedAt":"2026-02-18 22:08:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fqx6-693c-f55g"}]},{"advisoryId":"PKSA-v1yf-jwjx-pk3d","packageName":"librenms\/librenms","remoteId":"GHSA-254q-rqmw-vx45","title":"Missing Authorization in librenms\/librenms","link":"https:\/\/github.com\/advisories\/GHSA-254q-rqmw-vx45","cve":"CVE-2022-0588","affectedVersions":"\u003C22.2.0","source":"GitHub","reportedAt":"2022-02-16 00:01:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-254q-rqmw-vx45"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-hq3k-cthz-b9zn","packageName":"craftcms\/cms","remoteId":"GHSA-44px-qjjc-xrhq","title":"Craft CMS: Authorized asset \u0022preview file\u0022 requests bypass allows users without asset access to retrieve private preview metadata","link":"https:\/\/github.com\/advisories\/GHSA-44px-qjjc-xrhq","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-26 17:12:21","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-44px-qjjc-xrhq"}]},{"advisoryId":"PKSA-w984-dygq-7ryn","packageName":"craftcms\/cms","remoteId":"GHSA-vgjg-248p-rfm2","title":"Craft CMS\u0027 anonymous \u0022assets\/image-editor\u0022 calls return private asset editor metadata to unauthorized users","link":"https:\/\/github.com\/advisories\/GHSA-vgjg-248p-rfm2","cve":"CVE-2026-33161","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 17:27:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-vgjg-248p-rfm2"}]},{"advisoryId":"PKSA-7c6f-2hwc-ptwd","packageName":"craftcms\/cms","remoteId":"GHSA-f582-6gf6-gx4g","title":"Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions","link":"https:\/\/github.com\/advisories\/GHSA-f582-6gf6-gx4g","cve":"CVE-2026-33162","affectedVersions":"\u003E=5.3.0,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 17:28:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f582-6gf6-gx4g"}]},{"advisoryId":"PKSA-twkq-r2c1-87qq","packageName":"craftcms\/cms","remoteId":"GHSA-2fph-6v5w-89hh","title":"Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior","link":"https:\/\/github.com\/advisories\/GHSA-2fph-6v5w-89hh","cve":"CVE-2026-33157","affectedVersions":"\u003E=5.6.0,\u003C=5.9.12","source":"GitHub","reportedAt":"2026-03-24 16:50:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fph-6v5w-89hh"}]},{"advisoryId":"PKSA-548y-fsbg-y9t7","packageName":"craftcms\/cms","remoteId":"GHSA-3pvf-vxrv-hh9c","title":"Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)","link":"https:\/\/github.com\/advisories\/GHSA-3pvf-vxrv-hh9c","cve":"CVE-2026-33158","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.13|\u003E=4.0.0-RC1,\u003C=4.17.7","source":"GitHub","reportedAt":"2026-03-24 16:53:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3pvf-vxrv-hh9c"}]},{"advisoryId":"PKSA-rxrx-pcy1-2csw","packageName":"craftcms\/cms","remoteId":"GHSA-6mrr-q3pj-h53w","title":"Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations","link":"https:\/\/github.com\/advisories\/GHSA-6mrr-q3pj-h53w","cve":"CVE-2026-33159","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 16:57:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6mrr-q3pj-h53w"}]},{"advisoryId":"PKSA-swp1-ty4d-gpzy","packageName":"craftcms\/cms","remoteId":"GHSA-5pgf-h923-m958","title":"Craft CMS may expose private assets through anonymous \u0022generate transform\u0022 calls via transform URL","link":"https:\/\/github.com\/advisories\/GHSA-5pgf-h923-m958","cve":"CVE-2026-33160","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 16:59:58","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5pgf-h923-m958"}]},{"advisoryId":"PKSA-1n7m-zdqf-4n15","packageName":"craftcms\/cms","remoteId":"GHSA-3x4w-mxpf-fhqq","title":"Craft CMS Vulnerable to Stored XSS in Revision Context Menu","link":"https:\/\/github.com\/advisories\/GHSA-3x4w-mxpf-fhqq","cve":"CVE-2026-33051","affectedVersions":"\u003E=5.9.0-beta.1,\u003C=5.9.10","source":"GitHub","reportedAt":"2026-03-18 12:58:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3x4w-mxpf-fhqq"}]},{"advisoryId":"PKSA-s8c8-j6wr-t4ds","packageName":"craftcms\/cms","remoteId":"GHSA-cc7p-2j3x-x7xf","title":"Craft CMS Vulnerable to Privilege Escalation\/Bypass through UsersController-\u003EactionImpersonateWithToken()","link":"https:\/\/github.com\/advisories\/GHSA-cc7p-2j3x-x7xf","cve":"CVE-2026-32267","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.11|\u003E=4.0.0-RC1,\u003C=4.17.5","source":"GitHub","reportedAt":"2026-03-16 18:44:20","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cc7p-2j3x-x7xf"}]},{"advisoryId":"PKSA-y7v4-m2bd-8h2y","packageName":"craftcms\/cms","remoteId":"GHSA-472v-j2g4-g9h2","title":"Craft CMS has a Path Traversal Vulnerability in AssetsController","link":"https:\/\/github.com\/advisories\/GHSA-472v-j2g4-g9h2","cve":"CVE-2026-32262","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.10|\u003E=4.0.0-RC1,\u003C=4.17.4","source":"GitHub","reportedAt":"2026-03-16 18:11:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-472v-j2g4-g9h2"}]},{"advisoryId":"PKSA-1n2n-7k4d-96rt","packageName":"craftcms\/cms","remoteId":"GHSA-qx2q-q59v-wf3j","title":"Craft CMS vulnerable to behavior injection RCE via EntryTypesController","link":"https:\/\/github.com\/advisories\/GHSA-qx2q-q59v-wf3j","cve":"CVE-2026-32263","affectedVersions":"\u003E=5.6.0,\u003C=5.9.10","source":"GitHub","reportedAt":"2026-03-16 18:12:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qx2q-q59v-wf3j"}]},{"advisoryId":"PKSA-1qxd-z2sm-yssc","packageName":"craftcms\/cms","remoteId":"GHSA-4484-8v2f-5748","title":"Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController","link":"https:\/\/github.com\/advisories\/GHSA-4484-8v2f-5748","cve":"CVE-2026-32264","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.10|\u003E=4.0.0-RC1,\u003C=4.17.4","source":"GitHub","reportedAt":"2026-03-16 18:13:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4484-8v2f-5748"}]},{"advisoryId":"PKSA-w79g-q9vy-mw7b","packageName":"craftcms\/cms","remoteId":"GHSA-fp5j-j7j4-mcxc","title":"CraftCMS has an RCE vulnerability via relational conditionals in the control panel","link":"https:\/\/github.com\/advisories\/GHSA-fp5j-j7j4-mcxc","cve":"CVE-2026-31857","affectedVersions":"\u003E=4.0.0-beta.1,\u003C=4.17.3|\u003E=5.0.0-RC1,\u003C=5.9.8","source":"GitHub","reportedAt":"2026-03-11 14:56:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fp5j-j7j4-mcxc"}]},{"advisoryId":"PKSA-sc5m-6n1y-h7vz","packageName":"craftcms\/cms","remoteId":"GHSA-g3hp-vvqf-8vw6","title":"Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page","link":"https:\/\/github.com\/advisories\/GHSA-g3hp-vvqf-8vw6","cve":null,"affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-03-11 14:56:59","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-g3hp-vvqf-8vw6"}]},{"advisoryId":"PKSA-t9v1-2frg-d2wy","packageName":"craftcms\/cms","remoteId":"GHSA-fvwq-45qv-xvhv","title":"CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization","link":"https:\/\/github.com\/advisories\/GHSA-fvwq-45qv-xvhv","cve":"CVE-2026-31859","affectedVersions":"\u003E=5.7.5,\u003C=5.9.6|\u003E=4.15.3,\u003C=4.17.2","source":"GitHub","reportedAt":"2026-03-11 00:26:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fvwq-45qv-xvhv"}]},{"advisoryId":"PKSA-2bdn-bpjn-j9q4","packageName":"craftcms\/cms","remoteId":"GHSA-g7j6-fmwx-7vp8","title":"CraftCMS\u0027s `ElementSearchController` Affected by Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-g7j6-fmwx-7vp8","cve":"CVE-2026-31858","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.8","source":"GitHub","reportedAt":"2026-03-11 00:27:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g7j6-fmwx-7vp8"}]},{"advisoryId":"PKSA-24yr-dkzm-n9v5","packageName":"craftcms\/cms","remoteId":"GHSA-vg3j-hpm9-8v5v","title":"Craft CMS has a potential information disclosure vulnerability in preview tokens","link":"https:\/\/github.com\/advisories\/GHSA-vg3j-hpm9-8v5v","cve":"CVE-2026-29113","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.6|\u003E=4.0.0-RC1,\u003C4.17.3","source":"GitHub","reportedAt":"2026-03-10 18:22:02","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-vg3j-hpm9-8v5v"}]},{"advisoryId":"PKSA-s2xd-twzp-9yz7","packageName":"craftcms\/cms","remoteId":"GHSA-234q-vvw3-mrfq","title":"Craft CMS has unauthenticated activation email trigger with potential user enumeration","link":"https:\/\/github.com\/advisories\/GHSA-234q-vvw3-mrfq","cve":"CVE-2026-29069","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.2|\u003E=5.0.0-RC1,\u003C5.9.0-beta.2","source":"GitHub","reportedAt":"2026-03-04 20:52:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-234q-vvw3-mrfq"}]},{"advisoryId":"PKSA-jqb9-4xf5-mdn1","packageName":"craftcms\/cms","remoteId":"GHSA-v47q-jxvr-p68x","title":"Craft CMS Vulnerable to Authenticated RCE via \u0022craft.app.fs.write()\u0022 in Twig Templates","link":"https:\/\/github.com\/advisories\/GHSA-v47q-jxvr-p68x","cve":"CVE-2026-28697","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 21:00:16","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-v47q-jxvr-p68x"}]},{"advisoryId":"PKSA-zp4z-c8gp-zpww","packageName":"craftcms\/cms","remoteId":"GHSA-2xfc-g69j-x2mp","title":"Craft CMS: Entries Authorship Spoofing via Mass Assignment","link":"https:\/\/github.com\/advisories\/GHSA-2xfc-g69j-x2mp","cve":"CVE-2026-28781","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 21:00:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xfc-g69j-x2mp"}]},{"advisoryId":"PKSA-x1f7-3vrt-jvfj","packageName":"craftcms\/cms","remoteId":"GHSA-5fvc-7894-ghp4","title":"Craft CMS has Twig Function Blocklist Bypass","link":"https:\/\/github.com\/advisories\/GHSA-5fvc-7894-ghp4","cve":"CVE-2026-28783","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 21:01:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5fvc-7894-ghp4"}]},{"advisoryId":"PKSA-c1gj-84dj-vvh3","packageName":"craftcms\/cms","remoteId":"GHSA-jxm3-pmm2-9gf6","title":"Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action","link":"https:\/\/github.com\/advisories\/GHSA-jxm3-pmm2-9gf6","cve":"CVE-2026-28782","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 21:05:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jxm3-pmm2-9gf6"}]},{"advisoryId":"PKSA-q22m-n7fg-cqgy","packageName":"craftcms\/cms","remoteId":"GHSA-qc86-q28f-ggww","title":"Craft CMS has potential authenticated Remote Code Execution via Twig SSTI","link":"https:\/\/github.com\/advisories\/GHSA-qc86-q28f-ggww","cve":"CVE-2026-28784","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 21:06:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qc86-q28f-ggww"}]},{"advisoryId":"PKSA-skz7-x8dk-h7t1","packageName":"craftcms\/cms","remoteId":"GHSA-4mgv-366x-qxvx","title":"Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options","link":"https:\/\/github.com\/advisories\/GHSA-4mgv-366x-qxvx","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 20:58:07","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-4mgv-366x-qxvx"}]},{"advisoryId":"PKSA-n7dz-mnbq-y23y","packageName":"craftcms\/cms","remoteId":"GHSA-94rc-cqvm-m4pw","title":"Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget","link":"https:\/\/github.com\/advisories\/GHSA-94rc-cqvm-m4pw","cve":"CVE-2026-28695","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.8.7,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 20:30:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-94rc-cqvm-m4pw"}]},{"advisoryId":"PKSA-ts3n-khxn-xyvm","packageName":"craftcms\/cms","remoteId":"GHSA-7x43-mpfg-r9wj","title":"Craft CMS has IDOR via GraphQL @parseRefs","link":"https:\/\/github.com\/advisories\/GHSA-7x43-mpfg-r9wj","cve":"CVE-2026-28696","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.0-beta.1|\u003E=4.0.0-RC1,\u003C4.17.0-beta.1","source":"GitHub","reportedAt":"2026-03-03 20:38:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7x43-mpfg-r9wj"}]},{"advisoryId":"PKSA-cf9h-wtzj-5nwd","packageName":"craftcms\/cms","remoteId":"GHSA-6j87-m5qx-9fqp","title":"Craft CMS has Stored XSS in Table Field in its \u0022Row Heading\u0022 Column Type","link":"https:\/\/github.com\/advisories\/GHSA-6j87-m5qx-9fqp","cve":null,"affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.22|\u003E=4.5.0-beta.1,\u003C=4.16.18","source":"GitHub","reportedAt":"2026-02-25 19:11:31","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6j87-m5qx-9fqp"}]},{"advisoryId":"PKSA-qgft-95tr-t5vt","packageName":"craftcms\/cms","remoteId":"GHSA-v2gc-rm6g-wrw9","title":"Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution","link":"https:\/\/github.com\/advisories\/GHSA-v2gc-rm6g-wrw9","cve":"CVE-2026-27129","affectedVersions":"\u003E=3.5.0,\u003C=4.16.18|\u003E=5.0.0-RC1,\u003C=5.8.22","source":"GitHub","reportedAt":"2026-02-24 15:51:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v2gc-rm6g-wrw9"}]},{"advisoryId":"PKSA-knkq-h2rk-yc48","packageName":"craftcms\/cms","remoteId":"GHSA-3jh3-prx3-w6wc","title":"Craft CMS has Stored XSS in Table Field via \u0022HTML\u0022 Column Type","link":"https:\/\/github.com\/advisories\/GHSA-3jh3-prx3-w6wc","cve":"CVE-2026-27126","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.22|\u003E=4.5.0-RC1,\u003C=4.16.18","source":"GitHub","reportedAt":"2026-02-23 22:15:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3jh3-prx3-w6wc"}]},{"advisoryId":"PKSA-ycmx-j7s8-wyxz","packageName":"craftcms\/cms","remoteId":"GHSA-gp2f-7wcm-5fhx","title":"Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding","link":"https:\/\/github.com\/advisories\/GHSA-gp2f-7wcm-5fhx","cve":"CVE-2026-27127","affectedVersions":"\u003E=3.5.0,\u003C=4.16.18|\u003E=5.0.0-RC1,\u003C=5.8.22","source":"GitHub","reportedAt":"2026-02-23 22:16:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gp2f-7wcm-5fhx"}]},{"advisoryId":"PKSA-k33k-b5qw-yqgp","packageName":"craftcms\/cms","remoteId":"GHSA-6fx5-5cw5-4897","title":"Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit","link":"https:\/\/github.com\/advisories\/GHSA-6fx5-5cw5-4897","cve":"CVE-2026-27128","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.22|\u003E=4.5.0-RC1,\u003C=4.16.18","source":"GitHub","reportedAt":"2026-02-23 22:16:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6fx5-5cw5-4897"}]},{"advisoryId":"PKSA-v2dw-c4ss-13bw","packageName":"craftcms\/cms","remoteId":"GHSA-7pr4-wx9w-mqwr","title":"Craft CMS Vulnerable to Stored XSS in Entry Types Name","link":"https:\/\/github.com\/advisories\/GHSA-7pr4-wx9w-mqwr","cve":"CVE-2026-25491","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-7pr4-wx9w-mqwr"}]},{"advisoryId":"PKSA-1dbt-xzgs-7gw8","packageName":"craftcms\/cms","remoteId":"GHSA-8jr8-7hr4-vhfx","title":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect","link":"https:\/\/github.com\/advisories\/GHSA-8jr8-7hr4-vhfx","cve":"CVE-2026-25493","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8jr8-7hr4-vhfx"}]},{"advisoryId":"PKSA-jsy4-k6z3-fcjb","packageName":"craftcms\/cms","remoteId":"GHSA-m5r2-8p9x-hp5m","title":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation","link":"https:\/\/github.com\/advisories\/GHSA-m5r2-8p9x-hp5m","cve":"CVE-2026-25494","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5r2-8p9x-hp5m"}]},{"advisoryId":"PKSA-9dtd-sv51-7pmx","packageName":"craftcms\/cms","remoteId":"GHSA-2453-mppf-46cj","title":"Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`","link":"https:\/\/github.com\/advisories\/GHSA-2453-mppf-46cj","cve":"CVE-2026-25495","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:41","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2453-mppf-46cj"}]},{"advisoryId":"PKSA-5pj5-nxp6-547h","packageName":"craftcms\/cms","remoteId":"GHSA-9f5h-mmq6-2x78","title":"Craft CMS Vulnerable to Stored XSS in Number Prefix \u0026 Suffix Fields","link":"https:\/\/github.com\/advisories\/GHSA-9f5h-mmq6-2x78","cve":"CVE-2026-25496","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9f5h-mmq6-2x78"}]},{"advisoryId":"PKSA-zjy6-pdtw-mck8","packageName":"craftcms\/cms","remoteId":"GHSA-fxp3-g6gw-4r4v","title":"Craft CMS: GraphQL Asset Mutation Privilege Escalation","link":"https:\/\/github.com\/advisories\/GHSA-fxp3-g6gw-4r4v","cve":"CVE-2026-25497","affectedVersions":"\u003E=4.0.0-RC1,\u003C4.17.0-beta.1|\u003E=5.0.0-RC1,\u003C5.9.0-beta.1","source":"GitHub","reportedAt":"2026-02-09 20:36:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fxp3-g6gw-4r4v"}]},{"advisoryId":"PKSA-g2n6-j3mn-x8xf","packageName":"craftcms\/cms","remoteId":"GHSA-7jx7-3846-m7w7","title":"Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior","link":"https:\/\/github.com\/advisories\/GHSA-7jx7-3846-m7w7","cve":"CVE-2026-25498","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:36:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7jx7-3846-m7w7"}]}],"google\/protobuf":[{"advisoryId":"PKSA-tcfz-w4fm-hhk9","packageName":"google\/protobuf","remoteId":"GHSA-p2gh-cfq4-4wjc","title":"Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion","link":"https:\/\/github.com\/advisories\/GHSA-p2gh-cfq4-4wjc","cve":null,"affectedVersions":"\u003C4.33.6","source":"GitHub","reportedAt":"2026-03-25 21:02:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p2gh-cfq4-4wjc"}]}],"code16\/sharp":[{"advisoryId":"PKSA-74vs-2hzw-xc7y","packageName":"code16\/sharp","remoteId":"GHSA-fr76-5637-w3g9","title":"Sharp has Unrestricted File Upload via Client-Controlled Validation Rules","link":"https:\/\/github.com\/advisories\/GHSA-fr76-5637-w3g9","cve":"CVE-2026-33687","affectedVersions":"\u003C9.20.0","source":"GitHub","reportedAt":"2026-03-25 20:00:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fr76-5637-w3g9"}]},{"advisoryId":"PKSA-48kw-4xx3-wpfb","packageName":"code16\/sharp","remoteId":"GHSA-9ffq-6457-8958","title":"Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil","link":"https:\/\/github.com\/advisories\/GHSA-9ffq-6457-8958","cve":"CVE-2026-33686","affectedVersions":"\u003C9.20.0","source":"GitHub","reportedAt":"2026-03-25 20:01:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9ffq-6457-8958"}]}],"mantisbt\/mantisbt":[{"advisoryId":"PKSA-snjj-r5pw-fbgn","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-73vx-49mv-v8w5","title":"MantisBT has Stored HTML Injection\/XSS when displaying Tags in Timeline","link":"https:\/\/github.com\/advisories\/GHSA-73vx-49mv-v8w5","cve":"CVE-2026-33548","affectedVersions":"=2.28.0","source":"GitHub","reportedAt":"2026-03-25 20:09:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-73vx-49mv-v8w5"}]},{"advisoryId":"PKSA-dcyg-8m67-cs7k","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-fh48-f69w-7vmp","title":"MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation","link":"https:\/\/github.com\/advisories\/GHSA-fh48-f69w-7vmp","cve":"CVE-2026-33517","affectedVersions":"=2.28.0","source":"GitHub","reportedAt":"2026-03-25 19:56:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fh48-f69w-7vmp"}]},{"advisoryId":"PKSA-cwyv-kt56-ndf5","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-phrq-pc6r-f6gh","title":"MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL","link":"https:\/\/github.com\/advisories\/GHSA-phrq-pc6r-f6gh","cve":"CVE-2026-30849","affectedVersions":"\u003C2.28.1","source":"GitHub","reportedAt":"2026-03-23 20:28:52","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-phrq-pc6r-f6gh"}]}],"prestashop\/prestashop":[{"advisoryId":"PKSA-qc2t-77k5-sq5w","packageName":"prestashop\/prestashop","remoteId":"GHSA-283w-xf3q-788v","title":"PrestaShop: Improper Use of Validation Framework","link":"https:\/\/github.com\/advisories\/GHSA-283w-xf3q-788v","cve":"CVE-2026-33674","affectedVersions":"\u003E=9.0.0-alpha.1,\u003C9.1.0|\u003C8.2.5","source":"GitHub","reportedAt":"2026-03-25 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-283w-xf3q-788v"}]},{"advisoryId":"PKSA-327m-nm79-1t19","packageName":"prestashop\/prestashop","remoteId":"GHSA-35pf-37c6-jxjv","title":"PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables","link":"https:\/\/github.com\/advisories\/GHSA-35pf-37c6-jxjv","cve":"CVE-2026-33673","affectedVersions":"\u003C8.2.5|\u003E=9.0.0-alpha.1,\u003C9.1.0","source":"GitHub","reportedAt":"2026-03-25 19:41:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-35pf-37c6-jxjv"}]}],"yansongda\/pay":[{"advisoryId":"PKSA-8dgs-n4fh-5pd5","packageName":"yansongda\/pay","remoteId":"GHSA-q938-ghwv-8gvc","title":"WeChat Pay callback signature verification bypassed when Host header is localhost","link":"https:\/\/github.com\/advisories\/GHSA-q938-ghwv-8gvc","cve":"CVE-2026-33661","affectedVersions":"\u003C=3.7.19","source":"GitHub","reportedAt":"2026-03-25 19:30:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q938-ghwv-8gvc"}]}],"invoiceninja\/invoiceninja":[{"advisoryId":"PKSA-txpv-wmxc-xy2c","packageName":"invoiceninja\/invoiceninja","remoteId":"GHSA-98wm-cxpw-847p","title":"Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items","link":"https:\/\/github.com\/advisories\/GHSA-98wm-cxpw-847p","cve":"CVE-2026-33628","affectedVersions":"\u003C5.13.4","source":"GitHub","reportedAt":"2026-03-24 20:40:16","composerRepository":null,"severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98wm-cxpw-847p"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-8kv2-v86v-pjxv","packageName":"froxlor\/froxlor","remoteId":"GHSA-x6w6-2xwp-3jh6","title":"Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API","link":"https:\/\/github.com\/advisories\/GHSA-x6w6-2xwp-3jh6","cve":"CVE-2026-30932","affectedVersions":"\u003C=2.3.4","source":"GitHub","reportedAt":"2026-03-24 16:49:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x6w6-2xwp-3jh6"}]},{"advisoryId":"PKSA-b24n-4864-6pc2","packageName":"froxlor\/froxlor","remoteId":"GHSA-33mp-8p67-xj7c","title":"Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-33mp-8p67-xj7c","cve":"CVE-2026-26279","affectedVersions":"\u003C=2.3.3","source":"GitHub","reportedAt":"2026-03-03 17:40:19","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-33mp-8p67-xj7c"}]}],"roadiz\/documents":[{"advisoryId":"PKSA-8x28-rsr9-rfb8","packageName":"roadiz\/documents","remoteId":"GHSA-rc55-58f4-687g","title":"Roadiz has Server-Side Request Forgery (SSRF) in roadiz\/documents","link":"https:\/\/github.com\/advisories\/GHSA-rc55-58f4-687g","cve":"CVE-2026-33486","affectedVersions":"\u003C2.3.42|\u003E=2.4.0,\u003C2.5.44|\u003E=2.6.0,\u003C2.6.28|\u003E=2.7.0,\u003C2.7.9","source":"GitHub","reportedAt":"2026-03-23 21:43:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rc55-58f4-687g"}]}],"opensource-workshop\/connect-cms":[{"advisoryId":"PKSA-41bx-mcct-sk3j","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-hxqw-6qv7-cqfv","title":"Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin","link":"https:\/\/github.com\/advisories\/GHSA-hxqw-6qv7-cqfv","cve":"CVE-2026-32276","affectedVersions":"\u003E=2.0.0,\u003C2.41.1|\u003C1.41.1","source":"GitHub","reportedAt":"2026-03-23 20:33:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hxqw-6qv7-cqfv"}]},{"advisoryId":"PKSA-16v9-y28z-87sk","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-cmfh-mpmf-fmq4","title":"Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View","link":"https:\/\/github.com\/advisories\/GHSA-cmfh-mpmf-fmq4","cve":"CVE-2026-32277","affectedVersions":"\u003E=2.35.0,\u003C2.41.1|\u003E=1.35.0,\u003C1.41.1","source":"GitHub","reportedAt":"2026-03-23 20:35:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cmfh-mpmf-fmq4"}]},{"advisoryId":"PKSA-2kyx-vx1v-bbq2","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-mv3p-7p89-wq9p","title":"Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin","link":"https:\/\/github.com\/advisories\/GHSA-mv3p-7p89-wq9p","cve":"CVE-2026-32278","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:36:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mv3p-7p89-wq9p"}]},{"advisoryId":"PKSA-h93g-m9xg-91qb","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-jh46-85jr-6ph9","title":"Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin","link":"https:\/\/github.com\/advisories\/GHSA-jh46-85jr-6ph9","cve":"CVE-2026-32279","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:36:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jh46-85jr-6ph9"}]},{"advisoryId":"PKSA-cxpk-mhkk-3kqb","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-62ch-j6x7-722j","title":"Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature","link":"https:\/\/github.com\/advisories\/GHSA-62ch-j6x7-722j","cve":"CVE-2026-32299","affectedVersions":"\u003E=2.0.0,\u003C=2.40.0|\u003C=1.40.0","source":"GitHub","reportedAt":"2026-03-23 20:38:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-62ch-j6x7-722j"}]},{"advisoryId":"PKSA-mqv7-zr7q-hc9j","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-qr6x-wvxr-8hm9","title":"Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information","link":"https:\/\/github.com\/advisories\/GHSA-qr6x-wvxr-8hm9","cve":"CVE-2026-32300","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:39:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qr6x-wvxr-8hm9"}]}],"putyourlightson\/craft-sprig":[{"advisoryId":"PKSA-73p9-59k3-bf4z","packageName":"putyourlightson\/craft-sprig","remoteId":"GHSA-m59h-42jf-cphr","title":"Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground","link":"https:\/\/github.com\/advisories\/GHSA-m59h-42jf-cphr","cve":"CVE-2026-27131","affectedVersions":"\u003E=3.0.0,\u003C3.7.2|\u003E=2.0.0,\u003C2.15.2","source":"GitHub","reportedAt":"2026-03-23 20:25:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m59h-42jf-cphr"}]}],"dreamfactory\/df-core":[{"advisoryId":"PKSA-6vcs-hgyx-yq4f","packageName":"dreamfactory\/df-core","remoteId":"GHSA-gv7f-w92j-383q","title":"DreamFactory has a directory traversal","link":"https:\/\/github.com\/advisories\/GHSA-gv7f-w92j-383q","cve":"CVE-2025-55988","affectedVersions":"\u003C1.0.4","source":"GitHub","reportedAt":"2026-03-20 21:31:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gv7f-w92j-383q"}]}],"avideo\/avideo":[{"advisoryId":"PKSA-6kmm-hhmf-c37h","packageName":"avideo\/avideo","remoteId":"GHSA-687q-32c6-8x68","title":"AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-687q-32c6-8x68","cve":"CVE-2026-33478","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:43:50","composerRepository":null,"severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-687q-32c6-8x68"}]}],"johnbillion\/query-monitor":[{"advisoryId":"PKSA-675z-6zmn-1gbt","packageName":"johnbillion\/query-monitor","remoteId":"GHSA-2xr4-chcf-vmvf","title":"The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI","link":"https:\/\/github.com\/advisories\/GHSA-2xr4-chcf-vmvf","cve":"CVE-2026-4267","affectedVersions":"\u003C3.20.4","source":"GitHub","reportedAt":"2026-03-19 19:37:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xr4-chcf-vmvf"}]}],"yoast\/duplicate-post":[{"advisoryId":"PKSA-gmm7-sf5q-mmt1","packageName":"yoast\/duplicate-post","remoteId":"GHSA-g9w4-m5fx-x3wv","title":"Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite","link":"https:\/\/github.com\/advisories\/GHSA-g9w4-m5fx-x3wv","cve":"CVE-2026-1217","affectedVersions":"\u003C=4.5","source":"GitHub","reportedAt":"2026-03-18 12:31:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g9w4-m5fx-x3wv"}]}],"league\/commonmark":[{"advisoryId":"PKSA-21fb-n1x5-5nf7","packageName":"league\/commonmark","remoteId":"GHSA-hh8v-hgvp-g3f5","title":"league\/commonmark has an embed extension allowed_domains bypass","link":"https:\/\/github.com\/advisories\/GHSA-hh8v-hgvp-g3f5","cve":"CVE-2026-33347","affectedVersions":"\u003E=2.3.0,\u003C=2.8.1","source":"GitHub","reportedAt":"2026-03-19 19:04:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hh8v-hgvp-g3f5"}]},{"advisoryId":"PKSA-2cx9-ynrq-qdk3","packageName":"league\/commonmark","remoteId":"GHSA-4v6x-c7xx-hw9f","title":"CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names","link":"https:\/\/github.com\/advisories\/GHSA-4v6x-c7xx-hw9f","cve":"CVE-2026-30838","affectedVersions":"\u003E=2.0.0,\u003C=2.8.0","source":"GitHub","reportedAt":"2026-03-06 23:27:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4v6x-c7xx-hw9f"}]},{"advisoryId":"PKSA-rqc2-tcc6-nc79","packageName":"league\/commonmark","remoteId":"GHSA-3527-qv2q-pfvx","title":"league\/commonmark contains a XSS vulnerability in Attributes extension","link":"https:\/\/github.com\/advisories\/GHSA-3527-qv2q-pfvx","cve":"CVE-2025-46734","affectedVersions":"\u003E=1.5.0,\u003C2.7.0","source":"GitHub","reportedAt":"2025-05-05 20:40:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3527-qv2q-pfvx"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-km2b-zc3b-mjm3","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-94g3-g5v7-q4jg","title":"phpseclib\u0027s AES-CBC unpadding susceptible to padding oracle timing attack","link":"https:\/\/github.com\/advisories\/GHSA-94g3-g5v7-q4jg","cve":"CVE-2026-32935","affectedVersions":"\u003C=1.0.26|\u003E=2.0.0,\u003C=2.0.51|\u003E=3.0.0,\u003C=3.0.49","source":"GitHub","reportedAt":"2026-03-19 16:42:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-94g3-g5v7-q4jg"}]}],"kelvinmo\/simplejwt":[{"advisoryId":"PKSA-njxg-bvx9-65t2","packageName":"kelvinmo\/simplejwt","remoteId":"GHSA-xw36-67f8-339x","title":"SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering","link":"https:\/\/github.com\/advisories\/GHSA-xw36-67f8-339x","cve":"CVE-2026-33204","affectedVersions":"\u003C=1.1.0","source":"GitHub","reportedAt":"2026-03-18 20:16:59","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xw36-67f8-339x"}]}],"filament\/tables":[{"advisoryId":"PKSA-5bdf-2x61-v43c","packageName":"filament\/tables","remoteId":"GHSA-vv3x-j2x5-36jc","title":"Filament Unvalidated Range and Values summarizer values can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-vv3x-j2x5-36jc","cve":"CVE-2026-33080","affectedVersions":"\u003E=5.0.0,\u003C5.3.5|\u003E=4.0.0,\u003C4.8.5","source":"GitHub","reportedAt":"2026-03-18 20:07:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vv3x-j2x5-36jc"}]},{"advisoryId":"PKSA-2xmv-8f99-rg33","packageName":"filament\/tables","remoteId":"GHSA-9h9q-qhxg-89xr","title":"Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-9h9q-qhxg-89xr","cve":"CVE-2024-47186","affectedVersions":"\u003E=3.0.0,\u003C3.2.115","source":"GitHub","reportedAt":"2024-09-27 20:51:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9h9q-qhxg-89xr"}]}],"cpsit\/typo3-mailqueue":[{"advisoryId":"PKSA-nq65-b886-3hc5","packageName":"cpsit\/typo3-mailqueue","remoteId":"GHSA-2pm6-9fhx-vvg3","title":"The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class","link":"https:\/\/github.com\/advisories\/GHSA-2pm6-9fhx-vvg3","cve":"CVE-2026-1323","affectedVersions":"\u003E=0.5.0,\u003C0.5.2|\u003C0.4.5","source":"GitHub","reportedAt":"2026-03-18 16:17:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2pm6-9fhx-vvg3"}]}],"ayacoo\/redirect-tab":[{"advisoryId":"PKSA-qm8d-zth2-jq36","packageName":"ayacoo\/redirect-tab","remoteId":"GHSA-755r-r738-mjgp","title":"Broken Access Control in extension \u0022Redirect Tab\u0022 (redirect_tab)","link":"https:\/\/github.com\/advisories\/GHSA-755r-r738-mjgp","cve":"CVE-2026-4202","affectedVersions":"\u003E=4.0.0,\u003C4.0.5|\u003E=3.0.0,\u003C3.1.7|\u003C2.1.2","source":"GitHub","reportedAt":"2026-03-17 09:31:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-755r-r738-mjgp"}]}],"ralffreit\/mfa-email":[{"advisoryId":"PKSA-qp7n-s4g1-wsjq","packageName":"ralffreit\/mfa-email","remoteId":"GHSA-29r8-gvx4-r9w3","title":"Authentication Bypass in extension \u0022E-Mail MFA Provider\u0022 (mfa_email)","link":"https:\/\/github.com\/advisories\/GHSA-29r8-gvx4-r9w3","cve":"CVE-2026-4208","affectedVersions":"=2.0.0|\u003C1.0.7","source":"GitHub","reportedAt":"2026-03-17 09:31:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-29r8-gvx4-r9w3"}]}],"aureuserp\/aureuserp":[{"advisoryId":"PKSA-nj38-h5v2-sqrz","packageName":"aureuserp\/aureuserp","remoteId":"GHSA-76c2-3q6g-xvpm","title":"Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler","link":"https:\/\/github.com\/advisories\/GHSA-76c2-3q6g-xvpm","cve":"CVE-2026-4175","affectedVersions":"\u003C1.3.0-BETA1","source":"GitHub","reportedAt":"2026-03-16 15:30:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-76c2-3q6g-xvpm"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-rm9w-whnt-2jgw","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-7x5c-vfhj-9628","title":"Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() ","link":"https:\/\/github.com\/advisories\/GHSA-7x5c-vfhj-9628","cve":"CVE-2026-31891","affectedVersions":"\u003C2.13.5","source":"GitHub","reportedAt":"2026-03-17 17:07:41","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7x5c-vfhj-9628"}]}],"craftcms\/azure-blob":[{"advisoryId":"PKSA-yqn3-q88t-c7wb","packageName":"craftcms\/azure-blob","remoteId":"GHSA-q6fm-p73f-x862","title":"Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-q6fm-p73f-x862","cve":"CVE-2026-32268","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.1.0","source":"GitHub","reportedAt":"2026-03-16 18:44:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q6fm-p73f-x862"}]}],"craftcms\/webhooks":[{"advisoryId":"PKSA-fnz6-639n-kpcq","packageName":"craftcms\/webhooks","remoteId":"GHSA-8wg7-wm29-2rvg","title":"RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin","link":"https:\/\/github.com\/advisories\/GHSA-8wg7-wm29-2rvg","cve":"CVE-2026-32261","affectedVersions":"\u003E=3.0.0,\u003C3.2.0","source":"GitHub","reportedAt":"2026-03-16 18:11:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8wg7-wm29-2rvg"}]}],"craftcms\/aws-s3":[{"advisoryId":"PKSA-7kdj-x25g-wc45","packageName":"craftcms\/aws-s3","remoteId":"GHSA-hwj7-4vgc-j3v9","title":"Amazon S3 for Craft CMS has an Information Disclosure vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-hwj7-4vgc-j3v9","cve":"CVE-2026-32265","affectedVersions":"\u003E=2.0.2,\u003C=2.2.4","source":"GitHub","reportedAt":"2026-03-16 18:13:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hwj7-4vgc-j3v9"}]}],"craftcms\/google-cloud":[{"advisoryId":"PKSA-36bt-9p2f-mcy8","packageName":"craftcms\/google-cloud","remoteId":"GHSA-67cr-jmh8-4jpq","title":"Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-67cr-jmh8-4jpq","cve":"CVE-2026-32266","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.2.0","source":"GitHub","reportedAt":"2026-03-16 18:14:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-67cr-jmh8-4jpq"}]}],"simplesamlphp\/xml-security":[{"advisoryId":"PKSA-sxbn-dpg6-6ng9","packageName":"simplesamlphp\/xml-security","remoteId":"GHSA-r353-4845-pr5p","title":"simplesamlphp\/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption","link":"https:\/\/github.com\/advisories\/GHSA-r353-4845-pr5p","cve":"CVE-2026-32600","affectedVersions":"\u003C1.13.9|\u003E=2.0.0,\u003C2.3.1","source":"GitHub","reportedAt":"2026-03-13 20:44:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r353-4845-pr5p"}]}],"robrichards\/xmlseclibs":[{"advisoryId":"PKSA-pr5h-1dpm-9x4k","packageName":"robrichards\/xmlseclibs","remoteId":"GHSA-4v26-v6cg-g6f9","title":"xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption","link":"https:\/\/github.com\/advisories\/GHSA-4v26-v6cg-g6f9","cve":"CVE-2026-32313","affectedVersions":"\u003C3.1.5","source":"GitHub","reportedAt":"2026-03-13 20:04:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4v26-v6cg-g6f9"}]}],"winter\/wn-backend-module":[{"advisoryId":"PKSA-4n8n-yrbw-13gr","packageName":"winter\/wn-backend-module","remoteId":"GHSA-pgpf-m8m4-6cg6","title":"Winter vulnerable to privilege escalation by authenticated backend users","link":"https:\/\/github.com\/advisories\/GHSA-pgpf-m8m4-6cg6","cve":"CVE-2026-27591","affectedVersions":"\u003C1.0.477|\u003E=1.1.0,\u003C1.1.12|\u003E=1.2.0,\u003C1.2.12","source":"GitHub","reportedAt":"2026-03-12 14:07:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-pgpf-m8m4-6cg6"}]}],"limesurvey\/limesurvey":[{"advisoryId":"PKSA-g7yy-kkwv-8pkt","packageName":"limesurvey\/limesurvey","remoteId":"GHSA-rccq-2fxq-7x3h","title":"LimeSurvey is vulnerable to SQL injection","link":"https:\/\/github.com\/advisories\/GHSA-rccq-2fxq-7x3h","cve":"CVE-2025-56421","affectedVersions":"\u003C6.15.4","source":"GitHub","reportedAt":"2026-03-10 18:31:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rccq-2fxq-7x3h"}]}],"shopware\/platform":[{"advisoryId":"PKSA-bwqq-zb6b-g5dh","packageName":"shopware\/platform","remoteId":"GHSA-7vvp-j573-5584","title":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint","link":"https:\/\/github.com\/advisories\/GHSA-7vvp-j573-5584","cve":"CVE-2026-31887","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7vvp-j573-5584"}]},{"advisoryId":"PKSA-8zg6-v85t-wcz3","packageName":"shopware\/platform","remoteId":"GHSA-gqc5-xv7m-gcjq","title":"Shopware has user enumeration via distinct error codes on Store API login endpoint","link":"https:\/\/github.com\/advisories\/GHSA-gqc5-xv7m-gcjq","cve":"CVE-2026-31888","affectedVersions":"\u003C6.6.10.14|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gqc5-xv7m-gcjq"}]},{"advisoryId":"PKSA-qj2q-c8sp-3qyg","packageName":"shopware\/platform","remoteId":"GHSA-c4p7-rwrg-pf6p","title":"Shopware vulnerable to a potential take over of app credentials","link":"https:\/\/github.com\/advisories\/GHSA-c4p7-rwrg-pf6p","cve":"CVE-2026-31889","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:24:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c4p7-rwrg-pf6p"}]},{"advisoryId":"PKSA-hh61-vznp-4z86","packageName":"shopware\/platform","remoteId":"GHSA-c2f9-4jmm-v45m","title":"Shopware\u0027s session is persistent in Cache for 404 pages","link":"https:\/\/github.com\/advisories\/GHSA-c2f9-4jmm-v45m","cve":"CVE-2024-27917","affectedVersions":"\u003E=6.5.8.0,\u003C6.5.8.7","source":"GitHub","reportedAt":"2024-03-06 15:06:54","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c2f9-4jmm-v45m"}]}],"shopware\/core":[{"advisoryId":"PKSA-1d39-xhww-sgwf","packageName":"shopware\/core","remoteId":"GHSA-7vvp-j573-5584","title":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint","link":"https:\/\/github.com\/advisories\/GHSA-7vvp-j573-5584","cve":"CVE-2026-31887","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7vvp-j573-5584"}]},{"advisoryId":"PKSA-cck7-yytv-pqc6","packageName":"shopware\/core","remoteId":"GHSA-gqc5-xv7m-gcjq","title":"Shopware has user enumeration via distinct error codes on Store API login endpoint","link":"https:\/\/github.com\/advisories\/GHSA-gqc5-xv7m-gcjq","cve":"CVE-2026-31888","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gqc5-xv7m-gcjq"}]},{"advisoryId":"PKSA-fyfg-936j-xtjc","packageName":"shopware\/core","remoteId":"GHSA-c4p7-rwrg-pf6p","title":"Shopware vulnerable to a potential take over of app credentials","link":"https:\/\/github.com\/advisories\/GHSA-c4p7-rwrg-pf6p","cve":"CVE-2026-31889","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:24:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c4p7-rwrg-pf6p"}]}],"sylius\/sylius":[{"advisoryId":"PKSA-6vgh-6nsj-96p4","packageName":"sylius\/sylius","remoteId":"GHSA-9ffx-f77r-756w","title":"Sylius has an Open Redirect via Referer Header","link":"https:\/\/github.com\/advisories\/GHSA-9ffx-f77r-756w","cve":"CVE-2026-31819","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:12:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9ffx-f77r-756w"}]},{"advisoryId":"PKSA-x831-kfr2-97xs","packageName":"sylius\/sylius","remoteId":"GHSA-2xc6-348p-c2x6","title":"Sylius affected by IDOR in Cart and Checkout LiveComponents","link":"https:\/\/github.com\/advisories\/GHSA-2xc6-348p-c2x6","cve":"CVE-2026-31820","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:12:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2xc6-348p-c2x6"}]},{"advisoryId":"PKSA-mmpz-f966-fz1y","packageName":"sylius\/sylius","remoteId":"GHSA-wjmg-4cq5-m8hg","title":"Sylius is Missing Authorization in API v2 Add Item Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-wjmg-4cq5-m8hg","cve":"CVE-2026-31821","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:12:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wjmg-4cq5-m8hg"}]},{"advisoryId":"PKSA-n7z6-xgmt-1wzb","packageName":"sylius\/sylius","remoteId":"GHSA-vgh8-c6fp-7gcg","title":"Sylius has a XSS vulnerability in checkout login form","link":"https:\/\/github.com\/advisories\/GHSA-vgh8-c6fp-7gcg","cve":"CVE-2026-31822","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:13:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vgh8-c6fp-7gcg"}]},{"advisoryId":"PKSA-w86z-tc6z-1np1","packageName":"sylius\/sylius","remoteId":"GHSA-mx4q-xxc9-pf5q","title":"Sylius Vulnerable to Authenticated Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-mx4q-xxc9-pf5q","cve":"CVE-2026-31823","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:13:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mx4q-xxc9-pf5q"}]},{"advisoryId":"PKSA-xqwf-3qbb-njd6","packageName":"sylius\/sylius","remoteId":"GHSA-7mp4-25j8-hp5q","title":"Sylius has a Promotion Usage Limit Bypass via Race Condition","link":"https:\/\/github.com\/advisories\/GHSA-7mp4-25j8-hp5q","cve":"CVE-2026-31824","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:13:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7mp4-25j8-hp5q"}]},{"advisoryId":"PKSA-6fr5-nks6-h5j2","packageName":"sylius\/sylius","remoteId":"GHSA-xcwx-r2gw-w93m","title":"Sylius has a DQL Injection via API Order Filters","link":"https:\/\/github.com\/advisories\/GHSA-xcwx-r2gw-w93m","cve":"CVE-2026-31825","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:13:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xcwx-r2gw-w93m"}]},{"advisoryId":"PKSA-b1q1-2jf6-pqt9","packageName":"sylius\/sylius","remoteId":"GHSA-55rf-8q29-4g43","title":"Sylius has a security vulnerability via adjustments API endpoint","link":"https:\/\/github.com\/advisories\/GHSA-55rf-8q29-4g43","cve":"CVE-2024-40633","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C=1.11.16|\u003E=1.10.0-alpha.1,\u003C=1.10.15|\u003C1.9.12|\u003E=1.12.0-alpha.1,\u003C1.12.19|\u003E=1.13.0-alpha.1,\u003C1.13.4","source":"GitHub","reportedAt":"2024-07-17 14:32:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55rf-8q29-4g43"}]},{"advisoryId":"PKSA-dg69-7wty-b2d6","packageName":"sylius\/sylius","remoteId":"GHSA-v2f9-rv6w-vw8r","title":"Sylius potentially vulnerable to Cross Site Scripting via \u0022Name\u0022 field (Taxons, Products, Options, Variants) in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-v2f9-rv6w-vw8r","cve":"CVE-2024-34349","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C1.11.17|\u003E=1.10.0-alpha.1,\u003C1.10.16|\u003C1.9.12|\u003E=1.13.0-alpha.1,\u003C1.13.1|\u003E=1.12.0-alpha.1,\u003C1.12.16","source":"GitHub","reportedAt":"2024-05-10 15:33:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v2f9-rv6w-vw8r"}]},{"advisoryId":"PKSA-nsc4-mbdg-1r18","packageName":"sylius\/sylius","remoteId":"GHSA-7prj-9ccr-hr3q","title":"Sylius has potential Cross Site Scripting vulnerability via the \u0022Province\u0022 field in the Checkout and Address Book","link":"https:\/\/github.com\/advisories\/GHSA-7prj-9ccr-hr3q","cve":"CVE-2024-29376","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C1.11.17|\u003E=1.10.0-alpha.1,\u003C1.10.16|\u003C1.9.12|\u003E=1.13.0-alpha.1,\u003C1.13.1|\u003E=1.12.0-alpha.1,\u003C1.12.16","source":"GitHub","reportedAt":"2024-05-10 15:33:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7prj-9ccr-hr3q"}]}],"wpmetabox\/meta-box":[{"advisoryId":"PKSA-s98v-q9gv-s2bz","packageName":"wpmetabox\/meta-box","remoteId":"GHSA-m4q3-832v-44j6","title":"Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file","link":"https:\/\/github.com\/advisories\/GHSA-m4q3-832v-44j6","cve":"CVE-2025-14675","affectedVersions":"\u003C5.11.2","source":"GitHub","reportedAt":"2026-03-07 09:30:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m4q3-832v-44j6"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-hf29-t8gq-x1bd","packageName":"craftcms\/commerce","remoteId":"GHSA-j3x5-mghf-xvfw","title":"Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting","link":"https:\/\/github.com\/advisories\/GHSA-j3x5-mghf-xvfw","cve":"CVE-2026-29172","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:23:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j3x5-mghf-xvfw"}]},{"advisoryId":"PKSA-7wm1-vvyh-k91c","packageName":"craftcms\/commerce","remoteId":"GHSA-mqxf-2998-c6cp","title":"Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table","link":"https:\/\/github.com\/advisories\/GHSA-mqxf-2998-c6cp","cve":"CVE-2026-29173","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:23:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mqxf-2998-c6cp"}]},{"advisoryId":"PKSA-5vsf-cyf4-k2zs","packageName":"craftcms\/commerce","remoteId":"GHSA-pmgj-gmm4-jh6j","title":"Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting","link":"https:\/\/github.com\/advisories\/GHSA-pmgj-gmm4-jh6j","cve":"CVE-2026-29174","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pmgj-gmm4-jh6j"}]},{"advisoryId":"PKSA-c2f2-bw98-42sz","packageName":"craftcms\/commerce","remoteId":"GHSA-cfpv-rmpf-f624","title":"Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-cfpv-rmpf-f624","cve":"CVE-2026-29175","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cfpv-rmpf-f624"}]},{"advisoryId":"PKSA-9385-f9kj-gpgr","packageName":"craftcms\/commerce","remoteId":"GHSA-wj89-2385-gpx3","title":"Craft Commerce has stored XSS in Inventory Location Name","link":"https:\/\/github.com\/advisories\/GHSA-wj89-2385-gpx3","cve":"CVE-2026-29176","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wj89-2385-gpx3"}]},{"advisoryId":"PKSA-q6pp-5z96-2bd2","packageName":"craftcms\/commerce","remoteId":"GHSA-mj32-r678-7mvp","title":"Craft Commerce has stored XSS in Craft Commerce Order Details Slideout","link":"https:\/\/github.com\/advisories\/GHSA-mj32-r678-7mvp","cve":"CVE-2026-29177","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:24:18","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mj32-r678-7mvp"}]},{"advisoryId":"PKSA-c2xz-ckr6-6mky","packageName":"craftcms\/commerce","remoteId":"GHSA-vff3-pqq8-4cpq","title":"Craft Commerce: Potential IDOR in Commerce carts","link":"https:\/\/github.com\/advisories\/GHSA-vff3-pqq8-4cpq","cve":"CVE-2026-31867","affectedVersions":"\u003E=4.0.0,\u003C4.11.0|\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-03-10 18:24:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vff3-pqq8-4cpq"}]}],"web-auth\/webauthn-framework":[{"advisoryId":"PKSA-1sct-n8q3-hf7r","packageName":"web-auth\/webauthn-framework","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"web-auth\/webauthn-lib":[{"advisoryId":"PKSA-n72g-8zd8-6dm2","packageName":"web-auth\/webauthn-lib","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"web-auth\/webauthn-symfony-bundle":[{"advisoryId":"PKSA-mvry-7c68-swp2","packageName":"web-auth\/webauthn-symfony-bundle","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"flarum\/nicknames":[{"advisoryId":"PKSA-661s-dgrr-6b19","packageName":"flarum\/nicknames","remoteId":"GHSA-3c4m-j3g4-hh25","title":"flarum\/nicknames extension has display name injection in notification emails (autolink \u0026 markdown)","link":"https:\/\/github.com\/advisories\/GHSA-3c4m-j3g4-hh25","cve":"CVE-2026-30913","affectedVersions":"\u003C1.8.3","source":"GitHub","reportedAt":"2026-03-10 00:56:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3c4m-j3g4-hh25"}]}],"azuracast\/azuracast":[{"advisoryId":"PKSA-p9gy-8v98-hsfy","packageName":"azuracast\/azuracast","remoteId":"GHSA-93fx-5qgc-wr38","title":"AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs","link":"https:\/\/github.com\/advisories\/GHSA-93fx-5qgc-wr38","cve":null,"affectedVersions":"\u003C=0.23.3","source":"GitHub","reportedAt":"2026-03-09 19:55:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-93fx-5qgc-wr38"}]}],"snipe\/snipe-it":[{"advisoryId":"PKSA-b19f-d499-7h75","packageName":"snipe\/snipe-it","remoteId":"GHSA-5448-v74m-7mv7","title":"Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment","link":"https:\/\/github.com\/advisories\/GHSA-5448-v74m-7mv7","cve":"CVE-2025-15602","affectedVersions":"\u003C8.3.7","source":"GitHub","reportedAt":"2026-03-06 18:31:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5448-v74m-7mv7"}]}],"grumpydictator\/firefly-iii":[{"advisoryId":"PKSA-gsvb-yc3b-2hf2","packageName":"grumpydictator\/firefly-iii","remoteId":"GHSA-5q8v-j673-m5v4","title":"Firefly III user API endpoints expose all users\u0027 information to any authenticated user (IDOR)","link":"https:\/\/github.com\/advisories\/GHSA-5q8v-j673-m5v4","cve":null,"affectedVersions":"\u003E=6.4.23,\u003C=6.5.0","source":"GitHub","reportedAt":"2026-03-07 02:10:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5q8v-j673-m5v4"}]}],"ec-cube\/ec-cube":[{"advisoryId":"PKSA-8syj-s477-kgpz","packageName":"ec-cube\/ec-cube","remoteId":"GHSA-7rhv-h82h-vpjh","title":"EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface","link":"https:\/\/github.com\/advisories\/GHSA-7rhv-h82h-vpjh","cve":null,"affectedVersions":"\u003E=4.1.0,\u003C=4.3.1","source":"GitHub","reportedAt":"2026-03-05 21:14:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7rhv-h82h-vpjh"}]}],"leantime\/leantime":[{"advisoryId":"PKSA-xts7-ftgj-xm47","packageName":"leantime\/leantime","remoteId":"GHSA-qrfh-cc86-vc8c","title":"Leantime has HTML injection through firstname and lastname fields","link":"https:\/\/github.com\/advisories\/GHSA-qrfh-cc86-vc8c","cve":null,"affectedVersions":"\u003C3.3.0","source":"GitHub","reportedAt":"2026-03-05 18:05:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qrfh-cc86-vc8c"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-j5f5-11n1-y3zr","packageName":"kimai\/kimai","remoteId":"GHSA-v33r-r6h2-8wr7","title":"Kimai\u0027s API invoice endpoint missing customer-level access control (IDOR)","link":"https:\/\/github.com\/advisories\/GHSA-v33r-r6h2-8wr7","cve":"CVE-2026-28685","affectedVersions":"\u003C=2.50.0","source":"GitHub","reportedAt":"2026-03-04 20:43:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v33r-r6h2-8wr7"}]},{"advisoryId":"PKSA-kh61-fncz-s7b4","packageName":"kimai\/kimai","remoteId":"GHSA-cv8h-r7r5-vwj9","title":"Kimai contains a SameSite cookie vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-cv8h-r7r5-vwj9","cve":"CVE-2023-53957","affectedVersions":"\u003C=1.30.10","source":"GitHub","reportedAt":"2025-12-19 21:30:20","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cv8h-r7r5-vwj9"}]},{"advisoryId":"PKSA-2hk7-7wzk-4rts","packageName":"kimai\/kimai","remoteId":"GHSA-9278-6hcj-2p4j","title":"Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions","link":"https:\/\/github.com\/advisories\/GHSA-9278-6hcj-2p4j","cve":"CVE-2019-25317","affectedVersions":"\u003C1.1","source":"GitHub","reportedAt":"2026-02-11 15:30:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9278-6hcj-2p4j"}]}],"idno\/known":[{"advisoryId":"PKSA-tjwq-xm4h-4hs1","packageName":"idno\/known","remoteId":"GHSA-fcrh-fqxh-6fx6","title":"Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-fcrh-fqxh-6fx6","cve":"CVE-2026-28508","affectedVersions":"\u003C=1.6.3","source":"GitHub","reportedAt":"2026-03-02 21:24:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fcrh-fqxh-6fx6"}]},{"advisoryId":"PKSA-vr9w-vsjd-wjfy","packageName":"idno\/known","remoteId":"GHSA-37j7-56xc-c468","title":"Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-37j7-56xc-c468","cve":"CVE-2026-28507","affectedVersions":"\u003C1.6.4","source":"GitHub","reportedAt":"2026-03-02 21:26:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37j7-56xc-c468"}]},{"advisoryId":"PKSA-mcts-z5dp-tgk3","packageName":"idno\/known","remoteId":"GHSA-78wq-6gcv-w28r","title":"Known affected by Account Takeover via Password Reset Token Leakage","link":"https:\/\/github.com\/advisories\/GHSA-78wq-6gcv-w28r","cve":"CVE-2026-26273","affectedVersions":"\u003C=1.6.2","source":"GitHub","reportedAt":"2026-02-13 22:49:27","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-78wq-6gcv-w28r"}]}],"funadmin\/funadmin":[{"advisoryId":"PKSA-46y2-3dk3-ygyt","packageName":"funadmin\/funadmin","remoteId":"GHSA-8hhx-xq9j-xwfj","title":"funadmin exposes sensitive information via getMember function","link":"https:\/\/github.com\/advisories\/GHSA-8hhx-xq9j-xwfj","cve":"CVE-2026-2894","affectedVersions":"\u003C=7.1.0-rc4","source":"GitHub","reportedAt":"2026-02-22 00:31:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8hhx-xq9j-xwfj"}]},{"advisoryId":"PKSA-j1rx-v5j5-4zrh","packageName":"funadmin\/funadmin","remoteId":"GHSA-fmr2-m7gc-577w","title":"funadmin has Weak Password Recovery Mechanism for Forgotten Password","link":"https:\/\/github.com\/advisories\/GHSA-fmr2-m7gc-577w","cve":"CVE-2026-2895","affectedVersions":"\u003C=7.1.0-rc4","source":"GitHub","reportedAt":"2026-02-22 00:31:01","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-fmr2-m7gc-577w"}]},{"advisoryId":"PKSA-dwjy-41q2-31rt","packageName":"funadmin\/funadmin","remoteId":"GHSA-5m2g-4cf6-c3rg","title":"funadmin has Incorrect Privilege Assignment in its Configuration Handler","link":"https:\/\/github.com\/advisories\/GHSA-5m2g-4cf6-c3rg","cve":"CVE-2026-2896","affectedVersions":"\u003C=7.1.0-rc4","source":"GitHub","reportedAt":"2026-02-22 00:31:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5m2g-4cf6-c3rg"}]},{"advisoryId":"PKSA-rzcm-2t96-zr56","packageName":"funadmin\/funadmin","remoteId":"GHSA-gcxp-xg77-798j","title":"funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function","link":"https:\/\/github.com\/advisories\/GHSA-gcxp-xg77-798j","cve":"CVE-2026-2898","affectedVersions":"\u003C=7.1.0-rc4","source":"GitHub","reportedAt":"2026-02-22 03:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gcxp-xg77-798j"}]},{"advisoryId":"PKSA-z36f-6d88-bjdd","packageName":"funadmin\/funadmin","remoteId":"GHSA-rfh7-7v27-6p9r","title":"funadmin: XSS through Value argument in Backend Interface component","link":"https:\/\/github.com\/advisories\/GHSA-rfh7-7v27-6p9r","cve":"CVE-2026-2897","affectedVersions":"\u003C=7.1.0-rc4","source":"GitHub","reportedAt":"2026-02-22 03:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rfh7-7v27-6p9r"}]}],"mautic\/core":[{"advisoryId":"PKSA-frhs-vjy5-hffg","packageName":"mautic\/core","remoteId":"GHSA-r5j5-q42h-fc93","title":"Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting","link":"https:\/\/github.com\/advisories\/GHSA-r5j5-q42h-fc93","cve":"CVE-2026-3105","affectedVersions":"\u003E=7.0.0-alpha,\u003C7.0.1|\u003E=6.0.0-alpha,\u003C6.0.8|\u003E=2.10.0,\u003C5.2.10","source":"GitHub","reportedAt":"2026-02-25 19:28:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r5j5-q42h-fc93"}]}],"typicms\/core":[{"advisoryId":"PKSA-4g4t-fqh1-f8mt","packageName":"typicms\/core","remoteId":"GHSA-xfvg-8v67-j7wp","title":"TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload","link":"https:\/\/github.com\/advisories\/GHSA-xfvg-8v67-j7wp","cve":"CVE-2026-27621","affectedVersions":"\u003C16.1.7","source":"GitHub","reportedAt":"2026-02-25 16:06:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xfvg-8v67-j7wp"}]}],"moodle\/moodle":[{"advisoryId":"PKSA-d5fc-2jw8-sm45","packageName":"moodle\/moodle","remoteId":"GHSA-cg8j-5cr2-568q","title":"Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits","link":"https:\/\/github.com\/advisories\/GHSA-cg8j-5cr2-568q","cve":"CVE-2026-26047","affectedVersions":"\u003C4.5.9|\u003E=5.0.0-beta,\u003C5.0.5|\u003E=5.1.0-beta,\u003C5.1.2","source":"GitHub","reportedAt":"2026-02-21 06:30:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cg8j-5cr2-568q"}]},{"advisoryId":"PKSA-fh6z-73jv-qwnd","packageName":"moodle\/moodle","remoteId":"GHSA-ggxq-2mg9-8966","title":"Moodle has a Remote Code Execution risk via file restore","link":"https:\/\/github.com\/advisories\/GHSA-ggxq-2mg9-8966","cve":"CVE-2026-26045","affectedVersions":"\u003C4.5.9|\u003E=5.0.0-beta,\u003C5.0.5|\u003E=5.1.0-beta,\u003C5.1.2","source":"GitHub","reportedAt":"2026-02-21 06:30:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ggxq-2mg9-8966"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-8x4n-f9v2-4s1d","packageName":"pimcore\/pimcore","remoteId":"GHSA-vxg3-v4p6-f3fp","title":"Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause","link":"https:\/\/github.com\/advisories\/GHSA-vxg3-v4p6-f3fp","cve":"CVE-2026-27461","affectedVersions":"\u003E=12.0.0,\u003C12.3.3|\u003C=11.5.14.1","source":"GitHub","reportedAt":"2026-02-24 20:03:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vxg3-v4p6-f3fp"}]},{"advisoryId":"PKSA-7prq-96rv-5y6n","packageName":"pimcore\/pimcore","remoteId":"GHSA-h9vc-2p9g-63gp","title":"Cross-site Scripting in pimcore","link":"https:\/\/github.com\/advisories\/GHSA-h9vc-2p9g-63gp","cve":"CVE-2022-0565","affectedVersions":"\u003C10.3.1","source":"GitHub","reportedAt":"2022-02-15 00:02:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h9vc-2p9g-63gp"}]}],"zumba\/json-serializer":[{"advisoryId":"PKSA-zhg7-9xn9-qv5j","packageName":"zumba\/json-serializer","remoteId":"GHSA-v7m3-fpcr-h7m2","title":"Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()","link":"https:\/\/github.com\/advisories\/GHSA-v7m3-fpcr-h7m2","cve":"CVE-2026-27206","affectedVersions":"\u003C3.2.3","source":"GitHub","reportedAt":"2026-02-19 22:05:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-v7m3-fpcr-h7m2"}]}],"getformwork\/formwork":[{"advisoryId":"PKSA-s7gr-pq9f-f16r","packageName":"getformwork\/formwork","remoteId":"GHSA-34p4-7w83-35g2","title":"Formwork Improperly Managed Privileges in User creation","link":"https:\/\/github.com\/advisories\/GHSA-34p4-7w83-35g2","cve":"CVE-2026-27198","affectedVersions":"\u003E=2.0.0,\u003C=2.3.3","source":"GitHub","reportedAt":"2026-02-19 20:31:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-34p4-7w83-35g2"}]}],"firebase\/php-jwt":[{"advisoryId":"PKSA-y2cr-5h3j-g3ys","packageName":"firebase\/php-jwt","remoteId":"GHSA-2x45-7fc3-mxwq","title":"php-jwt contains weak encryption","link":"https:\/\/github.com\/advisories\/GHSA-2x45-7fc3-mxwq","cve":"CVE-2025-45769","affectedVersions":"\u003C7.0.0","source":"GitHub","reportedAt":"2025-07-31 21:31:53","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-2x45-7fc3-mxwq"}]}],"pterodactyl\/panel":[{"advisoryId":"PKSA-773t-3wms-bb2z","packageName":"pterodactyl\/panel","remoteId":"GHSA-g7vw-f8p5-c728","title":"Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization","link":"https:\/\/github.com\/advisories\/GHSA-g7vw-f8p5-c728","cve":"CVE-2026-26016","affectedVersions":"\u003C1.12.1","source":"GitHub","reportedAt":"2026-02-17 18:54:49","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-g7vw-f8p5-c728"}]},{"advisoryId":"PKSA-khps-r6nm-3z7r","packageName":"pterodactyl\/panel","remoteId":"GHSA-hr7j-63v7-vj7g","title":"Pterodactyl Panel\u0027s SFTP sessions remain active after user account deletion or password change","link":"https:\/\/github.com\/advisories\/GHSA-hr7j-63v7-vj7g","cve":null,"affectedVersions":"\u003C1.12.1","source":"GitHub","reportedAt":"2026-02-17 17:15:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hr7j-63v7-vj7g"}]}],"directorytree\/imapengine":[{"advisoryId":"PKSA-r9pf-9w4d-dyr5","packageName":"directorytree\/imapengine","remoteId":"GHSA-rfq9-4wcm-64gh","title":"ImapEngine affected by command injection via the ID command parameters","link":"https:\/\/github.com\/advisories\/GHSA-rfq9-4wcm-64gh","cve":"CVE-2026-2469","affectedVersions":"\u003C1.22.3","source":"GitHub","reportedAt":"2026-02-14 06:30:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rfq9-4wcm-64gh"}]}],"cesargb\/laravel-magiclink":[{"advisoryId":"PKSA-n3xg-c9dz-5k25","packageName":"cesargb\/laravel-magiclink","remoteId":"GHSA-r33w-fg8j-9c94","title":"MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-r33w-fg8j-9c94","cve":null,"affectedVersions":"\u003E=2.0.0,\u003C2.25.1","source":"GitHub","reportedAt":"2026-02-12 22:11:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r33w-fg8j-9c94"}]}],"phraseanet\/phraseanet":[{"advisoryId":"PKSA-r347-9jgf-7h41","packageName":"phraseanet\/phraseanet","remoteId":"GHSA-gcpq-mrgg-v5f3","title":"Phraseanet vulnerable to stored cross-site scripting through crafted file names","link":"https:\/\/github.com\/advisories\/GHSA-gcpq-mrgg-v5f3","cve":"CVE-2018-25157","affectedVersions":"=4.0.3","source":"GitHub","reportedAt":"2026-02-11 15:30:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcpq-mrgg-v5f3"}]}],"frosh\/adminer-platform":[{"advisoryId":"PKSA-9n8q-v8pv-hdyq","packageName":"frosh\/adminer-platform","remoteId":"GHSA-f339-246p-wwjp","title":"FroshAdminer Adminer UI is accessible without admin session","link":"https:\/\/github.com\/advisories\/GHSA-f339-246p-wwjp","cve":"CVE-2026-25878","affectedVersions":"\u003C2.2.1","source":"GitHub","reportedAt":"2026-02-10 00:22:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f339-246p-wwjp"}]}],"vrana\/adminer":[{"advisoryId":"PKSA-5hbx-ykrq-c4p8","packageName":"vrana\/adminer","remoteId":"GHSA-q4f2-39gr-45jh","title":"Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-q4f2-39gr-45jh","cve":"CVE-2026-25892","affectedVersions":"\u003E=4.6.2,\u003C5.4.2","source":"GitHub","reportedAt":"2026-02-10 00:25:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q4f2-39gr-45jh"}]}],"amphp\/http-server":[{"advisoryId":"PKSA-n4yt-trn1-vc6d","packageName":"amphp\/http-server","remoteId":"GHSA-8grv-jq2g-cfhw","title":"amphp\/http-server affected by HTTP\/2 DDoS vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-8grv-jq2g-cfhw","cve":null,"affectedVersions":"\u003E=2.0.0-rc1,\u003C2.1.10|\u003E=3.0.0-beta.1,\u003C3.4.4","source":"GitHub","reportedAt":"2026-02-10 00:25:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8grv-jq2g-cfhw"}]},{"advisoryId":"PKSA-32dn-k7sj-x6b5","packageName":"amphp\/http-server","remoteId":"amphp\/http-server\/CVE-2025-8671.yaml","title":"Denial of Service via \u0022MadeYouReset\u0022 vulnerability","link":"https:\/\/github.com\/amphp\/http-server\/security\/advisories\/GHSA-8grv-jq2g-cfhw","cve":"CVE-2025-8671","affectedVersions":"\u003E=3.0.0-beta1,\u003C3.4.4|\u003E=2.0.0-rc1,\u003C2.1.10","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-02-08 22:45:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"amphp\/http-server\/CVE-2025-8671.yaml"}]}],"craftcms\/craft":[{"advisoryId":"PKSA-jd1d-xg2h-yr6f","packageName":"craftcms\/craft","remoteId":"GHSA-96pq-hxpw-rgh8","title":"Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host","link":"https:\/\/github.com\/advisories\/GHSA-96pq-hxpw-rgh8","cve":"CVE-2026-25492","affectedVersions":"\u003E=3.5.0,\u003C=4.16.17|\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-02-09 20:35:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-96pq-hxpw-rgh8"}]}],"solspace\/craft-freeform":[{"advisoryId":"PKSA-xc3n-vk9q-z5t5","packageName":"solspace\/craft-freeform","remoteId":"GHSA-jp3q-wwp3-pwv9","title":"Freeform Craft Plugin CP UI (builder\/integrations) has Stored Cross-Site Scripting (XSS) issue","link":"https:\/\/github.com\/advisories\/GHSA-jp3q-wwp3-pwv9","cve":"CVE-2026-26188","affectedVersions":"\u003E=5.0.0,\u003C=5.14.6","source":"GitHub","reportedAt":"2026-01-22 21:41:14","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jp3q-wwp3-pwv9"}]}],"twig\/twig":[{"advisoryId":"PKSA-yhcn-xrg3-68b1","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2024-51754.yaml","title":"Unguarded calls to __toString() when nesting an object into an array","link":"https:\/\/symfony.com\/blog\/cve-2024-51754-unguarded-calls-to-tostring-in-a-sandbox-when-an-object-is-in-an-array-or-an-argument-list","cve":"CVE-2024-51754","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.11.2|\u003E=3.12.0,\u003C3.14.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2024-11-06 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-6377-hfv9-hqf6"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2024-51754.yaml"}]},{"advisoryId":"PKSA-2wrf-1xmk-1pky","packageName":"twig\/twig","remoteId":"twig\/twig\/CVE-2024-51755.yaml","title":"Unguarded calls to __isset() and to array-accesses when the sandbox is enabled","link":"https:\/\/symfony.com\/blog\/cve-2024-51755-unguarded-calls-to-isset-and-to-array-accesses-in-a-sandbox","cve":"CVE-2024-51755","affectedVersions":"\u003E=1.0.0,\u003C2.0.0|\u003E=2.0.0,\u003C3.0.0|\u003E=3.0.0,\u003C3.11.2|\u003E=3.12.0,\u003C3.14.1","source":"FriendsOfPHP\/security-advisories","reportedAt":"2024-11-06 08:00:00","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jjxq-ff2g-95vh"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"twig\/twig\/CVE-2024-51755.yaml"}]}],"filament\/infolists":[{"advisoryId":"PKSA-jyd3-2srm-pfqd","packageName":"filament\/infolists","remoteId":"GHSA-9h9q-qhxg-89xr","title":"Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-9h9q-qhxg-89xr","cve":"CVE-2024-47186","affectedVersions":"\u003E=3.0.0,\u003C3.2.115","source":"GitHub","reportedAt":"2024-09-27 20:51:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9h9q-qhxg-89xr"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-s32r-k9tt-xp19","packageName":"getgrav\/grav","remoteId":"GHSA-f6g2-h7qv-3m5v","title":"Remote Code Execution by uploading a phar file using frontmatter","link":"https:\/\/github.com\/advisories\/GHSA-f6g2-h7qv-3m5v","cve":"CVE-2024-27923","affectedVersions":"\u003C1.7.43","source":"GitHub","reportedAt":"2024-03-06 16:58:33","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f6g2-h7qv-3m5v"}]}],"shopware\/storefront":[{"advisoryId":"PKSA-5pbs-7q37-td9b","packageName":"shopware\/storefront","remoteId":"GHSA-c2f9-4jmm-v45m","title":"Shopware\u0027s session is persistent in Cache for 404 pages","link":"https:\/\/github.com\/advisories\/GHSA-c2f9-4jmm-v45m","cve":"CVE-2024-27917","affectedVersions":"\u003E=6.5.8.0,\u003C6.5.8.7","source":"GitHub","reportedAt":"2024-03-06 15:06:54","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c2f9-4jmm-v45m"}]}]}}