{"advisories":{"krayin\/laravel-crm":[{"advisoryId":"PKSA-y1wv-79ht-f4db","packageName":"krayin\/laravel-crm","remoteId":"GHSA-rm5f-3c25-p4cw","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Controllers\/Lead\/LeadController.php","link":"https:\/\/github.com\/advisories\/GHSA-rm5f-3c25-p4cw","cve":"CVE-2026-38530","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rm5f-3c25-p4cw"}]},{"advisoryId":"PKSA-5xsp-55yb-hdyp","packageName":"krayin\/laravel-crm","remoteId":"GHSA-r8rp-5f55-5j9x","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Settings\/UserController.php","link":"https:\/\/github.com\/advisories\/GHSA-r8rp-5f55-5j9x","cve":"CVE-2026-38529","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r8rp-5f55-5j9x"}]},{"advisoryId":"PKSA-2w9z-jxqd-y35k","packageName":"krayin\/laravel-crm","remoteId":"GHSA-2xx8-j85v-j7wh","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Contact\/Persons\/PersonController.php","link":"https:\/\/github.com\/advisories\/GHSA-2xx8-j85v-j7wh","cve":"CVE-2026-38532","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2xx8-j85v-j7wh"}]},{"advisoryId":"PKSA-gcg3-xvcm-8tz7","packageName":"krayin\/laravel-crm","remoteId":"GHSA-fpx9-9hq8-w2xc","title":"Webkul Krayin CRM has Server-Side Request Forgery (SSRF)","link":"https:\/\/github.com\/advisories\/GHSA-fpx9-9hq8-w2xc","cve":"CVE-2026-38527","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fpx9-9hq8-w2xc"}]},{"advisoryId":"PKSA-9rzv-szxy-ckw5","packageName":"krayin\/laravel-crm","remoteId":"GHSA-9m2v-hc5g-5jpv","title":"Krayin CRM is vulnerable to Cross-site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-9m2v-hc5g-5jpv","cve":"CVE-2026-5370","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-02 18:31:39","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9m2v-hc5g-5jpv"}]}],"khodakhah\/nodcms":[{"advisoryId":"PKSA-j2zd-bc4z-jzrm","packageName":"khodakhah\/nodcms","remoteId":"GHSA-3qcm-pj6q-w4c5","title":"Nodcms contains a cross-site request forgery vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-3qcm-pj6q-w4c5","cve":"CVE-2016-20054","affectedVersions":"\u003C=3.4.1","source":"GitHub","reportedAt":"2026-04-04 21:30:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3qcm-pj6q-w4c5"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-t427-p3m6-gf3c","packageName":"froxlor\/froxlor","remoteId":"GHSA-w59f-67xm-rxx7","title":"Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-w59f-67xm-rxx7","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 01:02:12","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w59f-67xm-rxx7"}]},{"advisoryId":"PKSA-ghdy-xf1y-wsyx","packageName":"froxlor\/froxlor","remoteId":"GHSA-jvx4-xv3m-hrj4","title":"Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()","link":"https:\/\/github.com\/advisories\/GHSA-jvx4-xv3m-hrj4","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:46:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jvx4-xv3m-hrj4"}]},{"advisoryId":"PKSA-mym1-2cj8-f6cp","packageName":"froxlor\/froxlor","remoteId":"GHSA-vmjj-qr7v-pxm6","title":"Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-vmjj-qr7v-pxm6","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vmjj-qr7v-pxm6"}]},{"advisoryId":"PKSA-jy2x-d5vf-ycwz","packageName":"froxlor\/froxlor","remoteId":"GHSA-75h4-c557-j89r","title":"Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron","link":"https:\/\/github.com\/advisories\/GHSA-75h4-c557-j89r","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-75h4-c557-j89r"}]},{"advisoryId":"PKSA-zvbr-5xtx-pwd7","packageName":"froxlor\/froxlor","remoteId":"GHSA-47hf-23pw-3m8c","title":"Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()","link":"https:\/\/github.com\/advisories\/GHSA-47hf-23pw-3m8c","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-47hf-23pw-3m8c"}]},{"advisoryId":"PKSA-s4pz-z4hm-5n7x","packageName":"froxlor\/froxlor","remoteId":"GHSA-gc9w-cc93-rjv8","title":"Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)","link":"https:\/\/github.com\/advisories\/GHSA-gc9w-cc93-rjv8","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:50:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gc9w-cc93-rjv8"}]},{"advisoryId":"PKSA-8kv2-v86v-pjxv","packageName":"froxlor\/froxlor","remoteId":"GHSA-x6w6-2xwp-3jh6","title":"Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API","link":"https:\/\/github.com\/advisories\/GHSA-x6w6-2xwp-3jh6","cve":"CVE-2026-30932","affectedVersions":"\u003C=2.3.4","source":"GitHub","reportedAt":"2026-03-24 16:49:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x6w6-2xwp-3jh6"}]}],"pocketmine\/pocketmine-mp":[{"advisoryId":"PKSA-tnfd-ykdn-862g","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-xp4f-g2cm-rhg7","title":"PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket","link":"https:\/\/github.com\/advisories\/GHSA-xp4f-g2cm-rhg7","cve":null,"affectedVersions":"\u003C5.42.1","source":"GitHub","reportedAt":"2026-04-15 19:43:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xp4f-g2cm-rhg7"}]},{"advisoryId":"PKSA-h4z5-fb6q-736p","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-h6rj-3m53-887h","title":"PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket","link":"https:\/\/github.com\/advisories\/GHSA-h6rj-3m53-887h","cve":null,"affectedVersions":"\u003C5.41.1","source":"GitHub","reportedAt":"2026-04-06 22:54:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h6rj-3m53-887h"}]},{"advisoryId":"PKSA-cnjv-js4w-1xcs","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-788v-5pfp-93ff","title":"PocketMine-MP: JSON decoding of unlimited size large arrays\/objects in ModalFormResponse Handling","link":"https:\/\/github.com\/advisories\/GHSA-788v-5pfp-93ff","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-788v-5pfp-93ff"}]},{"advisoryId":"PKSA-yw3m-b28c-y6hc","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-7hmv-4j2j-pp6f","title":"PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`","link":"https:\/\/github.com\/advisories\/GHSA-7hmv-4j2j-pp6f","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7hmv-4j2j-pp6f"}]},{"advisoryId":"PKSA-t7y4-spmt-39ct","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-f9jp-856v-8642","title":"PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state","link":"https:\/\/github.com\/advisories\/GHSA-f9jp-856v-8642","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:14","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-f9jp-856v-8642"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-ws9h-wxv9-tvcq","packageName":"kimai\/kimai","remoteId":"GHSA-g82g-m9vx-vhjg","title":"Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget","link":"https:\/\/github.com\/advisories\/GHSA-g82g-m9vx-vhjg","cve":"CVE-2026-40479","affectedVersions":"\u003C2.53.0","source":"GitHub","reportedAt":"2026-04-15 19:46:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g82g-m9vx-vhjg"}]},{"advisoryId":"PKSA-td5w-h5y4-9w1v","packageName":"kimai\/kimai","remoteId":"GHSA-qh43-xrjm-4ggp","title":"Kimai\u0027s User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate","link":"https:\/\/github.com\/advisories\/GHSA-qh43-xrjm-4ggp","cve":"CVE-2026-40486","affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-15 19:46:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qh43-xrjm-4ggp"}]},{"advisoryId":"PKSA-7mgs-q4t6-z3xx","packageName":"kimai\/kimai","remoteId":"GHSA-3jp4-mhh4-gcgr","title":"Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler","link":"https:\/\/github.com\/advisories\/GHSA-3jp4-mhh4-gcgr","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3jp4-mhh4-gcgr"}]},{"advisoryId":"PKSA-k88g-1gqq-x96c","packageName":"kimai\/kimai","remoteId":"GHSA-rh42-6rj2-xwmc","title":"Kimai leaks API Token Hash via Invoice Twig Template","link":"https:\/\/github.com\/advisories\/GHSA-rh42-6rj2-xwmc","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rh42-6rj2-xwmc"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-dmwd-n76s-m3f9","packageName":"craftcms\/cms","remoteId":"GHSA-jq2f-59pj-p3m3","title":"Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action","link":"https:\/\/github.com\/advisories\/GHSA-jq2f-59pj-p3m3","cve":null,"affectedVersions":"\u003E=5.6.0,\u003C5.9.15","source":"GitHub","reportedAt":"2026-04-14 23:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jq2f-59pj-p3m3"}]},{"advisoryId":"PKSA-wb3t-ts8t-d4cj","packageName":"craftcms\/cms","remoteId":"GHSA-3m9m-24vh-39wx","title":"Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations","link":"https:\/\/github.com\/advisories\/GHSA-3m9m-24vh-39wx","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:35:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3m9m-24vh-39wx"}]},{"advisoryId":"PKSA-ntd3-69q5-4cfy","packageName":"craftcms\/cms","remoteId":"GHSA-95wr-3f2v-v2wh","title":"Craft CMS has a host header injection leading to SSRF via resource-js endpoint","link":"https:\/\/github.com\/advisories\/GHSA-95wr-3f2v-v2wh","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:36:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-95wr-3f2v-v2wh"}]},{"advisoryId":"PKSA-hq3k-cthz-b9zn","packageName":"craftcms\/cms","remoteId":"GHSA-44px-qjjc-xrhq","title":"Craft CMS: Authorized asset \u0022preview file\u0022 requests bypass allows users without asset access to retrieve private preview metadata","link":"https:\/\/github.com\/advisories\/GHSA-44px-qjjc-xrhq","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-26 17:12:21","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-44px-qjjc-xrhq"}]},{"advisoryId":"PKSA-w984-dygq-7ryn","packageName":"craftcms\/cms","remoteId":"GHSA-vgjg-248p-rfm2","title":"Craft CMS\u0027 anonymous \u0022assets\/image-editor\u0022 calls return private asset editor metadata to unauthorized users","link":"https:\/\/github.com\/advisories\/GHSA-vgjg-248p-rfm2","cve":"CVE-2026-33161","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 17:27:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-vgjg-248p-rfm2"}]},{"advisoryId":"PKSA-7c6f-2hwc-ptwd","packageName":"craftcms\/cms","remoteId":"GHSA-f582-6gf6-gx4g","title":"Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions","link":"https:\/\/github.com\/advisories\/GHSA-f582-6gf6-gx4g","cve":"CVE-2026-33162","affectedVersions":"\u003E=5.3.0,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 17:28:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f582-6gf6-gx4g"}]},{"advisoryId":"PKSA-twkq-r2c1-87qq","packageName":"craftcms\/cms","remoteId":"GHSA-2fph-6v5w-89hh","title":"Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior","link":"https:\/\/github.com\/advisories\/GHSA-2fph-6v5w-89hh","cve":"CVE-2026-33157","affectedVersions":"\u003E=5.6.0,\u003C=5.9.12","source":"GitHub","reportedAt":"2026-03-24 16:50:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fph-6v5w-89hh"}]},{"advisoryId":"PKSA-548y-fsbg-y9t7","packageName":"craftcms\/cms","remoteId":"GHSA-3pvf-vxrv-hh9c","title":"Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)","link":"https:\/\/github.com\/advisories\/GHSA-3pvf-vxrv-hh9c","cve":"CVE-2026-33158","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.13|\u003E=4.0.0-RC1,\u003C=4.17.7","source":"GitHub","reportedAt":"2026-03-24 16:53:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3pvf-vxrv-hh9c"}]},{"advisoryId":"PKSA-rxrx-pcy1-2csw","packageName":"craftcms\/cms","remoteId":"GHSA-6mrr-q3pj-h53w","title":"Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations","link":"https:\/\/github.com\/advisories\/GHSA-6mrr-q3pj-h53w","cve":"CVE-2026-33159","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 16:57:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6mrr-q3pj-h53w"}]},{"advisoryId":"PKSA-swp1-ty4d-gpzy","packageName":"craftcms\/cms","remoteId":"GHSA-5pgf-h923-m958","title":"Craft CMS may expose private assets through anonymous \u0022generate transform\u0022 calls via transform URL","link":"https:\/\/github.com\/advisories\/GHSA-5pgf-h923-m958","cve":"CVE-2026-33160","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.7|\u003E=5.0.0-RC1,\u003C=5.9.13","source":"GitHub","reportedAt":"2026-03-24 16:59:58","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5pgf-h923-m958"}]},{"advisoryId":"PKSA-1n7m-zdqf-4n15","packageName":"craftcms\/cms","remoteId":"GHSA-3x4w-mxpf-fhqq","title":"Craft CMS Vulnerable to Stored XSS in Revision Context Menu","link":"https:\/\/github.com\/advisories\/GHSA-3x4w-mxpf-fhqq","cve":"CVE-2026-33051","affectedVersions":"\u003E=5.9.0-beta.1,\u003C=5.9.10","source":"GitHub","reportedAt":"2026-03-18 12:58:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3x4w-mxpf-fhqq"}]},{"advisoryId":"PKSA-s8c8-j6wr-t4ds","packageName":"craftcms\/cms","remoteId":"GHSA-cc7p-2j3x-x7xf","title":"Craft CMS Vulnerable to Privilege Escalation\/Bypass through UsersController-\u003EactionImpersonateWithToken()","link":"https:\/\/github.com\/advisories\/GHSA-cc7p-2j3x-x7xf","cve":"CVE-2026-32267","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.11|\u003E=4.0.0-RC1,\u003C=4.17.5","source":"GitHub","reportedAt":"2026-03-16 18:44:20","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cc7p-2j3x-x7xf"}]},{"advisoryId":"PKSA-y7v4-m2bd-8h2y","packageName":"craftcms\/cms","remoteId":"GHSA-472v-j2g4-g9h2","title":"Craft CMS has a Path Traversal Vulnerability in AssetsController","link":"https:\/\/github.com\/advisories\/GHSA-472v-j2g4-g9h2","cve":"CVE-2026-32262","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.10|\u003E=4.0.0-RC1,\u003C=4.17.4","source":"GitHub","reportedAt":"2026-03-16 18:11:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-472v-j2g4-g9h2"}]},{"advisoryId":"PKSA-1n2n-7k4d-96rt","packageName":"craftcms\/cms","remoteId":"GHSA-qx2q-q59v-wf3j","title":"Craft CMS vulnerable to behavior injection RCE via EntryTypesController","link":"https:\/\/github.com\/advisories\/GHSA-qx2q-q59v-wf3j","cve":"CVE-2026-32263","affectedVersions":"\u003E=5.6.0,\u003C=5.9.10","source":"GitHub","reportedAt":"2026-03-16 18:12:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qx2q-q59v-wf3j"}]},{"advisoryId":"PKSA-1qxd-z2sm-yssc","packageName":"craftcms\/cms","remoteId":"GHSA-4484-8v2f-5748","title":"Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController","link":"https:\/\/github.com\/advisories\/GHSA-4484-8v2f-5748","cve":"CVE-2026-32264","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.10|\u003E=4.0.0-RC1,\u003C=4.17.4","source":"GitHub","reportedAt":"2026-03-16 18:13:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4484-8v2f-5748"}]},{"advisoryId":"PKSA-w79g-q9vy-mw7b","packageName":"craftcms\/cms","remoteId":"GHSA-fp5j-j7j4-mcxc","title":"CraftCMS has an RCE vulnerability via relational conditionals in the control panel","link":"https:\/\/github.com\/advisories\/GHSA-fp5j-j7j4-mcxc","cve":"CVE-2026-31857","affectedVersions":"\u003E=4.0.0-beta.1,\u003C=4.17.3|\u003E=5.0.0-RC1,\u003C=5.9.8","source":"GitHub","reportedAt":"2026-03-11 14:56:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fp5j-j7j4-mcxc"}]},{"advisoryId":"PKSA-sc5m-6n1y-h7vz","packageName":"craftcms\/cms","remoteId":"GHSA-g3hp-vvqf-8vw6","title":"Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page","link":"https:\/\/github.com\/advisories\/GHSA-g3hp-vvqf-8vw6","cve":null,"affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.8.21","source":"GitHub","reportedAt":"2026-03-11 14:56:59","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-g3hp-vvqf-8vw6"}]},{"advisoryId":"PKSA-t9v1-2frg-d2wy","packageName":"craftcms\/cms","remoteId":"GHSA-fvwq-45qv-xvhv","title":"CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization","link":"https:\/\/github.com\/advisories\/GHSA-fvwq-45qv-xvhv","cve":"CVE-2026-31859","affectedVersions":"\u003E=5.7.5,\u003C=5.9.6|\u003E=4.15.3,\u003C=4.17.2","source":"GitHub","reportedAt":"2026-03-11 00:26:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fvwq-45qv-xvhv"}]},{"advisoryId":"PKSA-2bdn-bpjn-j9q4","packageName":"craftcms\/cms","remoteId":"GHSA-g7j6-fmwx-7vp8","title":"CraftCMS\u0027s `ElementSearchController` Affected by Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-g7j6-fmwx-7vp8","cve":"CVE-2026-31858","affectedVersions":"\u003E=5.0.0-RC1,\u003C=5.9.8","source":"GitHub","reportedAt":"2026-03-11 00:27:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g7j6-fmwx-7vp8"}]},{"advisoryId":"PKSA-24yr-dkzm-n9v5","packageName":"craftcms\/cms","remoteId":"GHSA-vg3j-hpm9-8v5v","title":"Craft CMS has a potential information disclosure vulnerability in preview tokens","link":"https:\/\/github.com\/advisories\/GHSA-vg3j-hpm9-8v5v","cve":"CVE-2026-29113","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.6|\u003E=4.0.0-RC1,\u003C4.17.3","source":"GitHub","reportedAt":"2026-03-10 18:22:02","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-vg3j-hpm9-8v5v"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-q934-7bnb-4bby","packageName":"wwbn\/avideo","remoteId":"GHSA-5879-4fmr-xwf2","title":"WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-5879-4fmr-xwf2","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:21:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5879-4fmr-xwf2"}]},{"advisoryId":"PKSA-8cks-7g1w-tz19","packageName":"wwbn\/avideo","remoteId":"GHSA-j432-4w3j-3w8j","title":"WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL","link":"https:\/\/github.com\/advisories\/GHSA-j432-4w3j-3w8j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j432-4w3j-3w8j"}]},{"advisoryId":"PKSA-gxyd-jpvf-3ngj","packageName":"wwbn\/avideo","remoteId":"GHSA-8pv3-29pp-pf8f","title":"WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver","link":"https:\/\/github.com\/advisories\/GHSA-8pv3-29pp-pf8f","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8pv3-29pp-pf8f"}]},{"advisoryId":"PKSA-pt2z-fxr4-fvmc","packageName":"wwbn\/avideo","remoteId":"GHSA-m63r-m9jh-3vc6","title":"WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters","link":"https:\/\/github.com\/advisories\/GHSA-m63r-m9jh-3vc6","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:23:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m63r-m9jh-3vc6"}]},{"advisoryId":"PKSA-gvmz-qdx4-njzh","packageName":"wwbn\/avideo","remoteId":"GHSA-m7r8-6q9j-m2hc","title":"WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS","link":"https:\/\/github.com\/advisories\/GHSA-m7r8-6q9j-m2hc","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:25:28","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m7r8-6q9j-m2hc"}]},{"advisoryId":"PKSA-v7bq-jd15-qdrz","packageName":"wwbn\/avideo","remoteId":"GHSA-pq8p-wc4f-vg7j","title":"WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-pq8p-wc4f-vg7j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:27:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pq8p-wc4f-vg7j"}]},{"advisoryId":"PKSA-nfcd-g6c3-5tff","packageName":"wwbn\/avideo","remoteId":"GHSA-vvfw-4m39-fjqf","title":"WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials","link":"https:\/\/github.com\/advisories\/GHSA-vvfw-4m39-fjqf","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vvfw-4m39-fjqf"}]},{"advisoryId":"PKSA-ttj4-18vr-tsp9","packageName":"wwbn\/avideo","remoteId":"GHSA-ffw8-fwxp-h64w","title":"WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)","link":"https:\/\/github.com\/advisories\/GHSA-ffw8-fwxp-h64w","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffw8-fwxp-h64w"}]},{"advisoryId":"PKSA-k36z-m2m9-7f9w","packageName":"wwbn\/avideo","remoteId":"GHSA-x2pw-9c38-cp2j","title":"WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion","link":"https:\/\/github.com\/advisories\/GHSA-x2pw-9c38-cp2j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x2pw-9c38-cp2j"}]},{"advisoryId":"PKSA-8nj2-vhcz-7bc5","packageName":"wwbn\/avideo","remoteId":"GHSA-8qm8-g55h-xmqr","title":"WWBN AVideo is missing CSRF protection in objects\/commentDelete.json.php enables mass comment deletion against moderators and content creators","link":"https:\/\/github.com\/advisories\/GHSA-8qm8-g55h-xmqr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8qm8-g55h-xmqr"}]},{"advisoryId":"PKSA-k6wt-ck7m-8514","packageName":"wwbn\/avideo","remoteId":"GHSA-hg7g-56h5-5pqr","title":"CAPTCHA Bypass in WWBN\/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure","link":"https:\/\/github.com\/advisories\/GHSA-hg7g-56h5-5pqr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg7g-56h5-5pqr"}]},{"advisoryId":"PKSA-zgmc-4215-ztzk","packageName":"wwbn\/avideo","remoteId":"GHSA-793q-xgj6-7frp","title":"WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF","link":"https:\/\/github.com\/advisories\/GHSA-793q-xgj6-7frp","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:15:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-793q-xgj6-7frp"}]},{"advisoryId":"PKSA-5c4b-gnfd-8xsq","packageName":"wwbn\/avideo","remoteId":"GHSA-ccq9-r5cw-5hwq","title":"WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-ccq9-r5cw-5hwq","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ccq9-r5cw-5hwq"}]},{"advisoryId":"PKSA-tsyg-vszv-9tkz","packageName":"wwbn\/avideo","remoteId":"GHSA-ff5q-cc22-fgp4","title":"WWBN AVideo has a CORS Origin Reflection Bypass via plugin\/API\/router.php and allowOrigin(true) Exposes Authenticated API Responses","link":"https:\/\/github.com\/advisories\/GHSA-ff5q-cc22-fgp4","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ff5q-cc22-fgp4"}]},{"advisoryId":"PKSA-zr2c-vrf1-x6qy","packageName":"wwbn\/avideo","remoteId":"GHSA-gph2-j4c9-vhhr","title":"WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks","link":"https:\/\/github.com\/advisories\/GHSA-gph2-j4c9-vhhr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:50:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gph2-j4c9-vhhr"}]},{"advisoryId":"PKSA-2sy8-4q8b-cn2c","packageName":"wwbn\/avideo","remoteId":"GHSA-gpgp-w4x2-h3h7","title":"WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users\u0027 Stream Keys and OAuth Tokens","link":"https:\/\/github.com\/advisories\/GHSA-gpgp-w4x2-h3h7","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gpgp-w4x2-h3h7"}]},{"advisoryId":"PKSA-yc9y-ydj1-h48d","packageName":"wwbn\/avideo","remoteId":"GHSA-52hf-63q4-r926","title":"WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version","link":"https:\/\/github.com\/advisories\/GHSA-52hf-63q4-r926","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:25","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-52hf-63q4-r926"}]},{"advisoryId":"PKSA-mbzn-myxk-vdz9","packageName":"wwbn\/avideo","remoteId":"GHSA-6rc6-p838-686f","title":"WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-6rc6-p838-686f","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6rc6-p838-686f"}]},{"advisoryId":"PKSA-f178-s5q3-rpz6","packageName":"wwbn\/avideo","remoteId":"GHSA-687q-32c6-8x68","title":"AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-687q-32c6-8x68","cve":"CVE-2026-33478","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:43:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-687q-32c6-8x68"}]},{"advisoryId":"PKSA-1dhf-r34w-p2f7","packageName":"wwbn\/avideo","remoteId":"GHSA-mmw7-wq3c-wf9p","title":"WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php","link":"https:\/\/github.com\/advisories\/GHSA-mmw7-wq3c-wf9p","cve":"CVE-2026-39366","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mmw7-wq3c-wf9p"}]},{"advisoryId":"PKSA-zd55-pq2p-fmtz","packageName":"wwbn\/avideo","remoteId":"GHSA-rqp3-gf5h-mrqx","title":"WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page","link":"https:\/\/github.com\/advisories\/GHSA-rqp3-gf5h-mrqx","cve":"CVE-2026-39367","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rqp3-gf5h-mrqx"}]},{"advisoryId":"PKSA-9dyr-jdcn-mr53","packageName":"wwbn\/avideo","remoteId":"GHSA-q4x6-6mm2-crg9","title":"WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services","link":"https:\/\/github.com\/advisories\/GHSA-q4x6-6mm2-crg9","cve":"CVE-2026-39368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q4x6-6mm2-crg9"}]},{"advisoryId":"PKSA-jrf5-73b5-1wm8","packageName":"wwbn\/avideo","remoteId":"GHSA-f4f9-627c-jh33","title":"WWBN AVideo\u0027s GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs","link":"https:\/\/github.com\/advisories\/GHSA-f4f9-627c-jh33","cve":"CVE-2026-39369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f4f9-627c-jh33"}]},{"advisoryId":"PKSA-k95w-1pmg-ryfd","packageName":"wwbn\/avideo","remoteId":"GHSA-cmcr-q4jf-p6q9","title":"WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)","link":"https:\/\/github.com\/advisories\/GHSA-cmcr-q4jf-p6q9","cve":"CVE-2026-39370","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cmcr-q4jf-p6q9"}]},{"advisoryId":"PKSA-v2fv-f7cj-pvmk","packageName":"wwbn\/avideo","remoteId":"GHSA-3v7m-qg4x-58h9","title":"AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php","link":"https:\/\/github.com\/advisories\/GHSA-3v7m-qg4x-58h9","cve":"CVE-2026-35448","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:15:37","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3v7m-qg4x-58h9"}]},{"advisoryId":"PKSA-8k5g-7b6v-dmzw","packageName":"wwbn\/avideo","remoteId":"GHSA-hg8q-8wqr-35xx","title":"AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-hg8q-8wqr-35xx","cve":"CVE-2026-35449","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:16:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg8q-8wqr-35xx"}]},{"advisoryId":"PKSA-yv5c-84v4-5kzs","packageName":"wwbn\/avideo","remoteId":"GHSA-2vg4-rrx4-qcpq","title":"AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php","link":"https:\/\/github.com\/advisories\/GHSA-2vg4-rrx4-qcpq","cve":"CVE-2026-35450","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:16:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2vg4-rrx4-qcpq"}]},{"advisoryId":"PKSA-8d75-pkrm-ryk2","packageName":"wwbn\/avideo","remoteId":"GHSA-99j6-hj87-6fcf","title":"AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php","link":"https:\/\/github.com\/advisories\/GHSA-99j6-hj87-6fcf","cve":"CVE-2026-35452","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:17:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-99j6-hj87-6fcf"}]},{"advisoryId":"PKSA-6czf-bc7p-h4k6","packageName":"wwbn\/avideo","remoteId":"GHSA-4q27-4rrq-fx95","title":"AVideo: CSRF on Player Skin Configuration via admin\/playerUpdate.json.php","link":"https:\/\/github.com\/advisories\/GHSA-4q27-4rrq-fx95","cve":"CVE-2026-35181","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4q27-4rrq-fx95"}]},{"advisoryId":"PKSA-9kdr-v9xz-q97d","packageName":"wwbn\/avideo","remoteId":"GHSA-x9w5-xccw-5h9w","title":"AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php","link":"https:\/\/github.com\/advisories\/GHSA-x9w5-xccw-5h9w","cve":"CVE-2026-35179","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:33:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x9w5-xccw-5h9w"}]},{"advisoryId":"PKSA-h129-dyyg-hqpq","packageName":"wwbn\/avideo","remoteId":"GHSA-gmpc-fxg2-vcmq","title":"AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin","link":"https:\/\/github.com\/advisories\/GHSA-gmpc-fxg2-vcmq","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 23:25:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gmpc-fxg2-vcmq"}]},{"advisoryId":"PKSA-nbcf-22q2-3259","packageName":"wwbn\/avideo","remoteId":"GHSA-4jcg-jxpf-5vq3","title":"AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php","link":"https:\/\/github.com\/advisories\/GHSA-4jcg-jxpf-5vq3","cve":"CVE-2026-34731","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:04:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jcg-jxpf-5vq3"}]},{"advisoryId":"PKSA-mshg-1d1p-db19","packageName":"wwbn\/avideo","remoteId":"GHSA-g2mg-cgr6-vmv7","title":"AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-g2mg-cgr6-vmv7","cve":"CVE-2026-34732","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:05:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g2mg-cgr6-vmv7"}]},{"advisoryId":"PKSA-tjqt-v3v3-pg6b","packageName":"wwbn\/avideo","remoteId":"GHSA-wwpw-hrx8-79r5","title":"AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard","link":"https:\/\/github.com\/advisories\/GHSA-wwpw-hrx8-79r5","cve":"CVE-2026-34733","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wwpw-hrx8-79r5"}]},{"advisoryId":"PKSA-jw1r-58j1-stm1","packageName":"wwbn\/avideo","remoteId":"GHSA-38rh-4v39-vfxv","title":"AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug","link":"https:\/\/github.com\/advisories\/GHSA-38rh-4v39-vfxv","cve":"CVE-2026-34737","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38rh-4v39-vfxv"}]},{"advisoryId":"PKSA-4yg6-hdf3-cm7q","packageName":"wwbn\/avideo","remoteId":"GHSA-m577-w9j8-ch7j","title":"AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter","link":"https:\/\/github.com\/advisories\/GHSA-m577-w9j8-ch7j","cve":"CVE-2026-34738","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:07:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m577-w9j8-ch7j"}]},{"advisoryId":"PKSA-trzy-nkyc-3bq1","packageName":"wwbn\/avideo","remoteId":"GHSA-jqrj-chh6-8h78","title":"AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php","link":"https:\/\/github.com\/advisories\/GHSA-jqrj-chh6-8h78","cve":"CVE-2026-34739","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jqrj-chh6-8h78"}]},{"advisoryId":"PKSA-v4v4-994j-g46x","packageName":"wwbn\/avideo","remoteId":"GHSA-x5vx-vrpf-r45f","title":"AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation","link":"https:\/\/github.com\/advisories\/GHSA-x5vx-vrpf-r45f","cve":"CVE-2026-34740","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5vx-vrpf-r45f"}]},{"advisoryId":"PKSA-bppj-bwtk-gjyq","packageName":"wwbn\/avideo","remoteId":"GHSA-hqxf-mhfw-rc44","title":"AVideo: CSRF on Plugin Enable\/Disable Endpoint Allows Disabling Security Plugins","link":"https:\/\/github.com\/advisories\/GHSA-hqxf-mhfw-rc44","cve":"CVE-2026-34613","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqxf-mhfw-rc44"}]},{"advisoryId":"PKSA-nph7-q1m2-1jj5","packageName":"wwbn\/avideo","remoteId":"GHSA-w4hp-w536-jg64","title":"AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification","link":"https:\/\/github.com\/advisories\/GHSA-w4hp-w536-jg64","cve":"CVE-2026-34716","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w4hp-w536-jg64"}]},{"advisoryId":"PKSA-zmm3-dkmp-577r","packageName":"wwbn\/avideo","remoteId":"GHSA-c4xj-x7p8-3x7q","title":"AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users","link":"https:\/\/github.com\/advisories\/GHSA-c4xj-x7p8-3x7q","cve":"CVE-2026-34611","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:48:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c4xj-x7p8-3x7q"}]},{"advisoryId":"PKSA-9wd9-hqm1-g8vw","packageName":"wwbn\/avideo","remoteId":"GHSA-77jp-mgcw-rfmr","title":"AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php","link":"https:\/\/github.com\/advisories\/GHSA-77jp-mgcw-rfmr","cve":"CVE-2026-34395","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:21:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-77jp-mgcw-rfmr"}]},{"advisoryId":"PKSA-8d8v-tnwh-mvxd","packageName":"wwbn\/avideo","remoteId":"GHSA-v4h7-3x43-qqw4","title":"AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-v4h7-3x43-qqw4","cve":"CVE-2026-34396","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v4h7-3x43-qqw4"}]},{"advisoryId":"PKSA-sgq7-y46w-x6wm","packageName":"wwbn\/avideo","remoteId":"GHSA-4wwr-7h7c-chqr","title":"AVideo\u0027s CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-4wwr-7h7c-chqr","cve":"CVE-2026-34394","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:15:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4wwr-7h7c-chqr"}]},{"advisoryId":"PKSA-jgsk-3v13-mp5q","packageName":"wwbn\/avideo","remoteId":"GHSA-q6jj-r49p-94fh","title":"AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification","link":"https:\/\/github.com\/advisories\/GHSA-q6jj-r49p-94fh","cve":"CVE-2026-34369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:03:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q6jj-r49p-94fh"}]},{"advisoryId":"PKSA-vp5k-2k3q-kh8x","packageName":"wwbn\/avideo","remoteId":"GHSA-pm37-62g7-p768","title":"AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page","link":"https:\/\/github.com\/advisories\/GHSA-pm37-62g7-p768","cve":"CVE-2026-34375","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:08:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm37-62g7-p768"}]},{"advisoryId":"PKSA-r7hg-81sr-ph3s","packageName":"wwbn\/avideo","remoteId":"GHSA-h54m-c522-h6qr","title":"AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance","link":"https:\/\/github.com\/advisories\/GHSA-h54m-c522-h6qr","cve":"CVE-2026-34368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:51:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h54m-c522-h6qr"}]},{"advisoryId":"PKSA-zrqg-465j-tm13","packageName":"wwbn\/avideo","remoteId":"GHSA-73gr-r64q-7jh4","title":"AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php","link":"https:\/\/github.com\/advisories\/GHSA-73gr-r64q-7jh4","cve":"CVE-2026-34364","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:49:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-73gr-r64q-7jh4"}]},{"advisoryId":"PKSA-3yrj-j1ff-gsp4","packageName":"wwbn\/avideo","remoteId":"GHSA-2mg4-pfgx-64cf","title":"AVideo\u0027s WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()","link":"https:\/\/github.com\/advisories\/GHSA-2mg4-pfgx-64cf","cve":"CVE-2026-34362","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:35:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mg4-pfgx-64cf"}]},{"advisoryId":"PKSA-mhr2-p9hx-xy4j","packageName":"wwbn\/avideo","remoteId":"GHSA-wprj-9cvc-5w37","title":"AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records","link":"https:\/\/github.com\/advisories\/GHSA-wprj-9cvc-5w37","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:40:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wprj-9cvc-5w37"}]},{"advisoryId":"PKSA-fw58-yv1p-mjjv","packageName":"wwbn\/avideo","remoteId":"GHSA-2rm7-j397-3fqg","title":"AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-2rm7-j397-3fqg","cve":"CVE-2026-34245","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2rm7-j397-3fqg"}]},{"advisoryId":"PKSA-6jcq-63hk-b922","packageName":"wwbn\/avideo","remoteId":"GHSA-g3hj-mf85-679g","title":"AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications","link":"https:\/\/github.com\/advisories\/GHSA-g3hj-mf85-679g","cve":"CVE-2026-34247","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3hj-mf85-679g"}]},{"advisoryId":"PKSA-37q2-fmsd-htgf","packageName":"wwbn\/avideo","remoteId":"GHSA-f359-r3pv-2phf","title":"AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f359-r3pv-2phf","cve":"CVE-2026-33766","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:10:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f359-r3pv-2phf"}]},{"advisoryId":"PKSA-d7fp-yz92-57bz","packageName":"wwbn\/avideo","remoteId":"GHSA-fj74-qxj7-r3vc","title":"AVideo has SQL Injection via Partial Prepared Statement \u2014 videos_id Concatenated Directly into Query","link":"https:\/\/github.com\/advisories\/GHSA-fj74-qxj7-r3vc","cve":"CVE-2026-33767","affectedVersions":"\u003C26.0","source":"GitHub","reportedAt":"2026-03-26 18:12:33","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fj74-qxj7-r3vc"}]},{"advisoryId":"PKSA-d1c1-62x6-fsdv","packageName":"wwbn\/avideo","remoteId":"GHSA-584p-rpvq-35vf","title":"AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables","link":"https:\/\/github.com\/advisories\/GHSA-584p-rpvq-35vf","cve":"CVE-2026-33770","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:15:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-584p-rpvq-35vf"}]},{"advisoryId":"PKSA-vcf8-yygk-smvm","packageName":"wwbn\/avideo","remoteId":"GHSA-363v-5rh8-23wg","title":"AVideo has Plaintext Video Password Storage","link":"https:\/\/github.com\/advisories\/GHSA-363v-5rh8-23wg","cve":"CVE-2026-33867","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:16:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-363v-5rh8-23wg"}]},{"advisoryId":"PKSA-kzzd-7tpm-2718","packageName":"wwbn\/avideo","remoteId":"GHSA-75qq-68m8-pvfr","title":"AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents","link":"https:\/\/github.com\/advisories\/GHSA-75qq-68m8-pvfr","cve":"CVE-2026-33759","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:05:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-75qq-68m8-pvfr"}]},{"advisoryId":"PKSA-t2zr-g4vs-n5nr","packageName":"wwbn\/avideo","remoteId":"GHSA-j724-5c6c-68g5","title":"AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings","link":"https:\/\/github.com\/advisories\/GHSA-j724-5c6c-68g5","cve":"CVE-2026-33761","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:06:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j724-5c6c-68g5"}]},{"advisoryId":"PKSA-qmkf-gp88-ftk6","packageName":"wwbn\/avideo","remoteId":"GHSA-8prq-2jr2-cm92","title":"AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle","link":"https:\/\/github.com\/advisories\/GHSA-8prq-2jr2-cm92","cve":"CVE-2026-33763","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:07:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8prq-2jr2-cm92"}]},{"advisoryId":"PKSA-ggc8-4vpf-v295","packageName":"wwbn\/avideo","remoteId":"GHSA-g39v-qrj6-jxrh","title":"AVideo: IDOR in AI Plugin Allows Stealing Other Users\u0027 AI-Generated Metadata and Transcriptions","link":"https:\/\/github.com\/advisories\/GHSA-g39v-qrj6-jxrh","cve":"CVE-2026-33764","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:08:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g39v-qrj6-jxrh"}]},{"advisoryId":"PKSA-nk6y-bx1m-kq7t","packageName":"wwbn\/avideo","remoteId":"GHSA-r64r-883r-wcwh","title":"AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment","link":"https:\/\/github.com\/advisories\/GHSA-r64r-883r-wcwh","cve":"CVE-2026-33719","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:55:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r64r-883r-wcwh"}]},{"advisoryId":"PKSA-c9d6-fz2f-92mg","packageName":"wwbn\/avideo","remoteId":"GHSA-ffr8-fxhv-fv8h","title":"AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter","link":"https:\/\/github.com\/advisories\/GHSA-ffr8-fxhv-fv8h","cve":"CVE-2026-33723","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:56:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffr8-fxhv-fv8h"}]},{"advisoryId":"PKSA-7gff-yt7v-8bkx","packageName":"wwbn\/avideo","remoteId":"GHSA-9hv9-gvwm-95f2","title":"AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php","link":"https:\/\/github.com\/advisories\/GHSA-9hv9-gvwm-95f2","cve":"CVE-2026-33716","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:28:21","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9hv9-gvwm-95f2"}]},{"advisoryId":"PKSA-xbpw-5md3-j3nz","packageName":"wwbn\/avideo","remoteId":"GHSA-8wf4-c4x3-h952","title":"AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL","link":"https:\/\/github.com\/advisories\/GHSA-8wf4-c4x3-h952","cve":"CVE-2026-33717","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 21:28:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8wf4-c4x3-h952"}]},{"advisoryId":"PKSA-9p99-sn38-6cwv","packageName":"wwbn\/avideo","remoteId":"GHSA-3hwv-x8g3-9qpr","title":"AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name","link":"https:\/\/github.com\/advisories\/GHSA-3hwv-x8g3-9qpr","cve":"CVE-2026-33681","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:51:46","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3hwv-x8g3-9qpr"}]},{"advisoryId":"PKSA-cx3j-v85y-y9tv","packageName":"wwbn\/avideo","remoteId":"GHSA-ghx5-7jjg-q2j7","title":"AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field","link":"https:\/\/github.com\/advisories\/GHSA-ghx5-7jjg-q2j7","cve":"CVE-2026-33683","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:52:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ghx5-7jjg-q2j7"}]},{"advisoryId":"PKSA-rhxf-1yfy-x5fd","packageName":"wwbn\/avideo","remoteId":"GHSA-j36m-74g2-7m95","title":"AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data","link":"https:\/\/github.com\/advisories\/GHSA-j36m-74g2-7m95","cve":"CVE-2026-33685","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:52:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j36m-74g2-7m95"}]},{"advisoryId":"PKSA-rmrd-1jny-519s","packageName":"wwbn\/avideo","remoteId":"GHSA-m99f-mmvg-3xmx","title":"AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-m99f-mmvg-3xmx","cve":"CVE-2026-33688","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:53:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m99f-mmvg-3xmx"}]},{"advisoryId":"PKSA-6bhm-ppng-rh7j","packageName":"wwbn\/avideo","remoteId":"GHSA-wxjx-r2j2-96fx","title":"AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin\/Live\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-wxjx-r2j2-96fx","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:53:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wxjx-r2j2-96fx"}]},{"advisoryId":"PKSA-x77f-z8vb-hbfr","packageName":"wwbn\/avideo","remoteId":"GHSA-8p2x-5cpm-qrqw","title":"AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()","link":"https:\/\/github.com\/advisories\/GHSA-8p2x-5cpm-qrqw","cve":"CVE-2026-33690","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 19:54:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8p2x-5cpm-qrqw"}]},{"advisoryId":"PKSA-m663-qqs4-57t4","packageName":"wwbn\/avideo","remoteId":"GHSA-pvw4-p2jm-chjm","title":"AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()","link":"https:\/\/github.com\/advisories\/GHSA-pvw4-p2jm-chjm","cve":"CVE-2026-33651","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:50:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pvw4-p2jm-chjm"}]},{"advisoryId":"PKSA-sv6m-nx8k-5kz3","packageName":"wwbn\/avideo","remoteId":"GHSA-wxjw-phj6-g75w","title":"AVideo Vulnerable to Remote Code Execution via MIME\/Extension Mismatch in ImageGallery File Upload","link":"https:\/\/github.com\/advisories\/GHSA-wxjw-phj6-g75w","cve":"CVE-2026-33647","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:45:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wxjw-phj6-g75w"}]},{"advisoryId":"PKSA-cpqv-3x62-47s6","packageName":"wwbn\/avideo","remoteId":"GHSA-5m4q-5cvx-36mw","title":"AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path","link":"https:\/\/github.com\/advisories\/GHSA-5m4q-5cvx-36mw","cve":"CVE-2026-33648","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:47:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5m4q-5cvx-36mw"}]},{"advisoryId":"PKSA-nfgn-q1hy-xddr","packageName":"wwbn\/avideo","remoteId":"GHSA-g8x9-7mgh-7cvj","title":"AVideo\u0027s GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification","link":"https:\/\/github.com\/advisories\/GHSA-g8x9-7mgh-7cvj","cve":"CVE-2026-33649","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:48:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-g8x9-7mgh-7cvj"}]},{"advisoryId":"PKSA-kbvc-x3nh-bwr5","packageName":"wwbn\/avideo","remoteId":"GHSA-8x77-f38v-4m5j","title":"AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion","link":"https:\/\/github.com\/advisories\/GHSA-8x77-f38v-4m5j","cve":"CVE-2026-33650","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-25 17:49:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8x77-f38v-4m5j"}]},{"advisoryId":"PKSA-stv4-sw5c-pp7h","packageName":"wwbn\/avideo","remoteId":"GHSA-mwjc-5j4x-r686","title":"AVideo has an unauthenticated decrypt oracle leaking any ciphertext","link":"https:\/\/github.com\/advisories\/GHSA-mwjc-5j4x-r686","cve":"CVE-2026-33512","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:55:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mwjc-5j4x-r686"}]},{"advisoryId":"PKSA-2x5y-pg7k-8jx1","packageName":"wwbn\/avideo","remoteId":"GHSA-8fw8-q79c-fp9m","title":"AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)","link":"https:\/\/github.com\/advisories\/GHSA-8fw8-q79c-fp9m","cve":"CVE-2026-33513","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:55:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8fw8-q79c-fp9m"}]},{"advisoryId":"PKSA-9rhr-hzp4-skcj","packageName":"wwbn\/avideo","remoteId":"GHSA-hv36-p4w4-6vmj","title":"AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload","link":"https:\/\/github.com\/advisories\/GHSA-hv36-p4w4-6vmj","cve":"CVE-2026-33507","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 21:47:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hv36-p4w4-6vmj"}]},{"advisoryId":"PKSA-g9zg-y2pv-yf4q","packageName":"wwbn\/avideo","remoteId":"GHSA-7292-w8qp-mhq2","title":"AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php","link":"https:\/\/github.com\/advisories\/GHSA-7292-w8qp-mhq2","cve":"CVE-2026-33499","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:56:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7292-w8qp-mhq2"}]},{"advisoryId":"PKSA-fjmv-8jwk-wtsg","packageName":"wwbn\/avideo","remoteId":"GHSA-72h5-39r7-r26j","title":"AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-72h5-39r7-r26j","cve":"CVE-2026-33500","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:56:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-72h5-39r7-r26j"}]},{"advisoryId":"PKSA-93k3-9zdh-zky7","packageName":"wwbn\/avideo","remoteId":"GHSA-96qp-8cmq-jvq8","title":"AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin","link":"https:\/\/github.com\/advisories\/GHSA-96qp-8cmq-jvq8","cve":"CVE-2026-33501","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:57:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-96qp-8cmq-jvq8"}]},{"advisoryId":"PKSA-734r-s438-vkf3","packageName":"wwbn\/avideo","remoteId":"GHSA-3fpm-8rjr-v5mc","title":"AVideo has Unauthenticated SSRF via plugin\/Live\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-3fpm-8rjr-v5mc","cve":"CVE-2026-33502","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:57:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-3fpm-8rjr-v5mc"}]},{"advisoryId":"PKSA-4kfk-t6qg-77z2","packageName":"wwbn\/avideo","remoteId":"GHSA-xggw-g9pm-9qhh","title":"AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin","link":"https:\/\/github.com\/advisories\/GHSA-xggw-g9pm-9qhh","cve":"CVE-2026-33479","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:44:02","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xggw-g9pm-9qhh"}]},{"advisoryId":"PKSA-8d9c-5xxm-8vns","packageName":"wwbn\/avideo","remoteId":"GHSA-p3gr-g84w-g8hh","title":"AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy","link":"https:\/\/github.com\/advisories\/GHSA-p3gr-g84w-g8hh","cve":"CVE-2026-33480","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:44:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p3gr-g84w-g8hh"}]},{"advisoryId":"PKSA-tp22-rjkg-27h5","packageName":"wwbn\/avideo","remoteId":"GHSA-pmj8-r2j7-xg6c","title":"AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()","link":"https:\/\/github.com\/advisories\/GHSA-pmj8-r2j7-xg6c","cve":"CVE-2026-33482","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:46:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pmj8-r2j7-xg6c"}]},{"advisoryId":"PKSA-f4gx-6t2c-nrd6","packageName":"wwbn\/avideo","remoteId":"GHSA-vv7w-qf5c-734w","title":"AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php","link":"https:\/\/github.com\/advisories\/GHSA-vv7w-qf5c-734w","cve":"CVE-2026-33483","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:46:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vv7w-qf5c-734w"}]},{"advisoryId":"PKSA-v7r8-5fwd-x92z","packageName":"wwbn\/avideo","remoteId":"GHSA-8p58-35c3-ccxx","title":"AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter","link":"https:\/\/github.com\/advisories\/GHSA-8p58-35c3-ccxx","cve":"CVE-2026-33485","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:47:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8p58-35c3-ccxx"}]},{"advisoryId":"PKSA-qjdg-5npg-72ng","packageName":"wwbn\/avideo","remoteId":"GHSA-6m5f-j7w2-w953","title":"AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin","link":"https:\/\/github.com\/advisories\/GHSA-6m5f-j7w2-w953","cve":"CVE-2026-33488","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6m5f-j7w2-w953"}]},{"advisoryId":"PKSA-3ybr-q6r1-fnzm","packageName":"wwbn\/avideo","remoteId":"GHSA-x3pr-vrhq-vq43","title":"AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration","link":"https:\/\/github.com\/advisories\/GHSA-x3pr-vrhq-vq43","cve":"CVE-2026-33492","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-x3pr-vrhq-vq43"}]},{"advisoryId":"PKSA-28kd-gd4j-w94p","packageName":"wwbn\/avideo","remoteId":"GHSA-83xq-8jxj-4rxm","title":"AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read\/Deletion via fileURI Parameter","link":"https:\/\/github.com\/advisories\/GHSA-83xq-8jxj-4rxm","cve":"CVE-2026-33493","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:49:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-83xq-8jxj-4rxm"}]},{"advisoryId":"PKSA-6mc5-gbk2-4jkz","packageName":"wwbn\/avideo","remoteId":"GHSA-4jw9-5hrc-m4j6","title":"AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`","link":"https:\/\/github.com\/advisories\/GHSA-4jw9-5hrc-m4j6","cve":"CVE-2026-33354","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:34:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jw9-5hrc-m4j6"}]},{"advisoryId":"PKSA-zqc4-q9ns-kq82","packageName":"wwbn\/avideo","remoteId":"GHSA-mcj5-6qr4-95fj","title":"AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)","link":"https:\/\/github.com\/advisories\/GHSA-mcj5-6qr4-95fj","cve":"CVE-2026-33352","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:25:53","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-mcj5-6qr4-95fj"}]},{"advisoryId":"PKSA-kz4k-1fdq-4jkn","packageName":"wwbn\/avideo","remoteId":"GHSA-5f7v-4f6g-74rj","title":"AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass","link":"https:\/\/github.com\/advisories\/GHSA-5f7v-4f6g-74rj","cve":"CVE-2026-33351","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-19 19:13:26","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-5f7v-4f6g-74rj"}]},{"advisoryId":"PKSA-yh5p-7324-8k1n","packageName":"wwbn\/avideo","remoteId":"GHSA-hj5h-5623-gwhw","title":"AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php","link":"https:\/\/github.com\/advisories\/GHSA-hj5h-5623-gwhw","cve":"CVE-2026-33296","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:25:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-hj5h-5623-gwhw"}]},{"advisoryId":"PKSA-qms8-qf5t-6w9q","packageName":"wwbn\/avideo","remoteId":"GHSA-6547-8hrg-c55m","title":"AVideo: IDOR - Any Admin Can Set Another User\u0027s Channel Password via setPassword.json.php","link":"https:\/\/github.com\/advisories\/GHSA-6547-8hrg-c55m","cve":"CVE-2026-33297","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:25:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6547-8hrg-c55m"}]},{"advisoryId":"PKSA-61gg-79td-yp6m","packageName":"wwbn\/avideo","remoteId":"GHSA-xmjm-86qv-g226","title":"AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter","link":"https:\/\/github.com\/advisories\/GHSA-xmjm-86qv-g226","cve":"CVE-2026-33293","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xmjm-86qv-g226"}]},{"advisoryId":"PKSA-69wq-d8c2-6qbn","packageName":"wwbn\/avideo","remoteId":"GHSA-66cw-h2mj-j39p","title":"AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources","link":"https:\/\/github.com\/advisories\/GHSA-66cw-h2mj-j39p","cve":"CVE-2026-33294","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66cw-h2mj-j39p"}]},{"advisoryId":"PKSA-7zcq-fgdd-9176","packageName":"wwbn\/avideo","remoteId":"GHSA-gc3m-4mcr-h3pv","title":"AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php","link":"https:\/\/github.com\/advisories\/GHSA-gc3m-4mcr-h3pv","cve":"CVE-2026-33295","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 17:12:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gc3m-4mcr-h3pv"}]},{"advisoryId":"PKSA-ht27-8rcs-t939","packageName":"wwbn\/avideo","remoteId":"GHSA-pw4v-x838-w5pg","title":"AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private\/Paid Videos","link":"https:\/\/github.com\/advisories\/GHSA-pw4v-x838-w5pg","cve":"CVE-2026-33292","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 16:43:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw4v-x838-w5pg"}]},{"advisoryId":"PKSA-1msk-y5kh-hb4p","packageName":"wwbn\/avideo","remoteId":"GHSA-v467-g7g7-hhfh","title":"AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation","link":"https:\/\/github.com\/advisories\/GHSA-v467-g7g7-hhfh","cve":"CVE-2026-33237","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v467-g7g7-hhfh"}]},{"advisoryId":"PKSA-484r-cdwt-2gm4","packageName":"wwbn\/avideo","remoteId":"GHSA-4wmm-6qxj-fpj4","title":"AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-4wmm-6qxj-fpj4","cve":"CVE-2026-33238","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wmm-6qxj-fpj4"}]},{"advisoryId":"PKSA-5drt-2yg3-m4bb","packageName":"wwbn\/avideo","remoteId":"GHSA-w5ff-2mjc-4phc","title":"AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command","link":"https:\/\/github.com\/advisories\/GHSA-w5ff-2mjc-4phc","cve":"CVE-2026-33319","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:45:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w5ff-2mjc-4phc"}]},{"advisoryId":"PKSA-3whn-q4tm-bwhh","packageName":"wwbn\/avideo","remoteId":"GHSA-5x2w-37xf-7962","title":"AVideo has Unauthenticated PGP Message Decryption via Public Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-5x2w-37xf-7962","cve":null,"affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:46:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5x2w-37xf-7962"}]},{"advisoryId":"PKSA-spwc-tcr7-cpby","packageName":"wwbn\/avideo","remoteId":"GHSA-9x67-f2v7-63rw","title":"AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy","link":"https:\/\/github.com\/advisories\/GHSA-9x67-f2v7-63rw","cve":"CVE-2026-33039","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 20:33:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9x67-f2v7-63rw"}]},{"advisoryId":"PKSA-qj1g-pbwp-h996","packageName":"wwbn\/avideo","remoteId":"GHSA-wfq5-qgqp-hvhv","title":"Unauthenticated Reflected XSS via innerHTML in AVideo","link":"https:\/\/github.com\/advisories\/GHSA-wfq5-qgqp-hvhv","cve":"CVE-2026-33035","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 20:05:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wfq5-qgqp-hvhv"}]},{"advisoryId":"PKSA-pcdx-pg9p-v4gz","packageName":"wwbn\/avideo","remoteId":"GHSA-qc3p-398r-p59j","title":"AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS","link":"https:\/\/github.com\/advisories\/GHSA-qc3p-398r-p59j","cve":"CVE-2026-33043","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:52:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qc3p-398r-p59j"}]},{"advisoryId":"PKSA-3jbs-pwhv-9v32","packageName":"wwbn\/avideo","remoteId":"GHSA-2f9h-23f7-8gcx","title":"AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments","link":"https:\/\/github.com\/advisories\/GHSA-2f9h-23f7-8gcx","cve":"CVE-2026-33038","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:46:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2f9h-23f7-8gcx"}]},{"advisoryId":"PKSA-v5mg-73g8-w2x4","packageName":"wwbn\/avideo","remoteId":"GHSA-px7x-gq96-rmp5","title":"AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php","link":"https:\/\/github.com\/advisories\/GHSA-px7x-gq96-rmp5","cve":"CVE-2026-33041","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-17 19:48:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-px7x-gq96-rmp5"}]},{"advisoryId":"PKSA-prng-jvqx-4vkt","packageName":"wwbn\/avideo","remoteId":"GHSA-6w2r-cfpc-23r5","title":"AVideo has Unauthenticated IDOR - Playlist Information Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-6w2r-cfpc-23r5","cve":"CVE-2026-30885","affectedVersions":"\u003C25.0","source":"GitHub","reportedAt":"2026-03-07 02:25:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6w2r-cfpc-23r5"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-brrg-b2hn-sb6q","packageName":"librenms\/librenms","remoteId":"GHSA-rp7w-624x-95qv","title":"LibreNMS affected by an authenticated Cross-site Scripting vulnerability on the showconfig page","link":"https:\/\/github.com\/advisories\/GHSA-rp7w-624x-95qv","cve":"CVE-2026-2728","affectedVersions":"\u003C26.3.0","source":"GitHub","reportedAt":"2026-04-13 12:31:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rp7w-624x-95qv"}]},{"advisoryId":"PKSA-crbw-6n6w-1qmb","packageName":"librenms\/librenms","remoteId":"GHSA-pr3g-phhr-h8fh","title":"LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write","link":"https:\/\/github.com\/advisories\/GHSA-pr3g-phhr-h8fh","cve":"CVE-2026-6204","affectedVersions":"\u003E=1.48,\u003C26.3.0","source":"GitHub","reportedAt":"2026-03-26 18:04:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr3g-phhr-h8fh"}]}],"s9y\/serendipity":[{"advisoryId":"PKSA-vfgc-2rdq-w256","packageName":"s9y\/serendipity","remoteId":"GHSA-4m6c-649p-f6gf","title":"Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php","link":"https:\/\/github.com\/advisories\/GHSA-4m6c-649p-f6gf","cve":"CVE-2026-39963","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4m6c-649p-f6gf"}]},{"advisoryId":"PKSA-fdbd-416g-v2zm","packageName":"s9y\/serendipity","remoteId":"GHSA-458g-q4fh-mj6r","title":"Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header","link":"https:\/\/github.com\/advisories\/GHSA-458g-q4fh-mj6r","cve":"CVE-2026-39971","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-458g-q4fh-mj6r"}]}],"october\/rain":[{"advisoryId":"PKSA-qst9-2ky5-dhpn","packageName":"october\/rain","remoteId":"GHSA-g6v3-wv4j-x9hg","title":"October Rain has Environment Variable Exfiltration via INI Parser Interpolation","link":"https:\/\/github.com\/advisories\/GHSA-g6v3-wv4j-x9hg","cve":"CVE-2026-25125","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g6v3-wv4j-x9hg"}]},{"advisoryId":"PKSA-22sk-dxft-df3d","packageName":"october\/rain","remoteId":"GHSA-gcqv-f29m-67gr","title":"October Rain has Stored XSS via SVG Filter Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gcqv-f29m-67gr","cve":"CVE-2026-25133","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcqv-f29m-67gr"}]},{"advisoryId":"PKSA-7hg1-vmz2-j7w6","packageName":"october\/rain","remoteId":"GHSA-m5qg-jc75-4jp6","title":"October Rain has a Twig Sandbox Bypass via Collection Methods","link":"https:\/\/github.com\/advisories\/GHSA-m5qg-jc75-4jp6","cve":"CVE-2026-22692","affectedVersions":"\u003C=3.7.12|\u003E=4.0.0,\u003C=4.1.4","source":"GitHub","reportedAt":"2026-04-14 20:02:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5qg-jc75-4jp6"}]}],"october\/system":[{"advisoryId":"PKSA-44b4-zdw9-q1j5","packageName":"october\/system","remoteId":"GHSA-6qmh-j78v-ffp7","title":"October CMS has Stored XSS in Backend Editor Markup Classes","link":"https:\/\/github.com\/advisories\/GHSA-6qmh-j78v-ffp7","cve":"CVE-2026-24906","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qmh-j78v-ffp7"}]},{"advisoryId":"PKSA-57nm-kh7g-ddrg","packageName":"october\/system","remoteId":"GHSA-j4j5-9x6g-rgxc","title":"October CMS has Stored XSS in Event Log Mail Preview","link":"https:\/\/github.com\/advisories\/GHSA-j4j5-9x6g-rgxc","cve":"CVE-2026-24907","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j4j5-9x6g-rgxc"}]}],"composer\/composer":[{"advisoryId":"PKSA-t5r2-p5q9-mtpn","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40261.yaml","title":"Command injection via malicious Perforce source reference\/url","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-gqw4-4w2p-838q","cve":"CVE-2026-40261","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40261.yaml"},{"name":"GitHub","remoteId":"GHSA-gqw4-4w2p-838q"}]},{"advisoryId":"PKSA-6bp1-9hfj-2cgv","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40176.yaml","title":"Command injection via malicious Perforce repository definition","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-wg36-wvj6-r67p","cve":"CVE-2026-40176","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40176.yaml"},{"name":"GitHub","remoteId":"GHSA-wg36-wvj6-r67p"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-tnb8-k5sw-yxmk","packageName":"craftcms\/commerce","remoteId":"GHSA-3vxg-x5f8-f5qf","title":"Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments","link":"https:\/\/github.com\/advisories\/GHSA-3vxg-x5f8-f5qf","cve":"CVE-2026-32270","affectedVersions":"\u003E=4.0.0,\u003C=4.10.2|\u003E=5.0.0,\u003C=5.5.4","source":"GitHub","reportedAt":"2026-04-14 01:01:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3vxg-x5f8-f5qf"}]},{"advisoryId":"PKSA-nhg1-858f-sgm2","packageName":"craftcms\/commerce","remoteId":"GHSA-r54v-qq87-px5r","title":"Craft Commerce hasVariant\/hasProduct Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-r54v-qq87-px5r","cve":"CVE-2026-32272","affectedVersions":"\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-04-14 00:06:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r54v-qq87-px5r"}]},{"advisoryId":"PKSA-chpm-5f12-rdnt","packageName":"craftcms\/commerce","remoteId":"GHSA-875v-7m49-8x88","title":"Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget","link":"https:\/\/github.com\/advisories\/GHSA-875v-7m49-8x88","cve":"CVE-2026-32271","affectedVersions":"\u003E=5.0.0,\u003C=5.5.4|\u003E=4.0.0,\u003C=4.10.2","source":"GitHub","reportedAt":"2026-04-14 00:07:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-875v-7m49-8x88"}]},{"advisoryId":"PKSA-hf29-t8gq-x1bd","packageName":"craftcms\/commerce","remoteId":"GHSA-j3x5-mghf-xvfw","title":"Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting","link":"https:\/\/github.com\/advisories\/GHSA-j3x5-mghf-xvfw","cve":"CVE-2026-29172","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:23:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j3x5-mghf-xvfw"}]},{"advisoryId":"PKSA-7wm1-vvyh-k91c","packageName":"craftcms\/commerce","remoteId":"GHSA-mqxf-2998-c6cp","title":"Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table","link":"https:\/\/github.com\/advisories\/GHSA-mqxf-2998-c6cp","cve":"CVE-2026-29173","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:23:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mqxf-2998-c6cp"}]},{"advisoryId":"PKSA-5vsf-cyf4-k2zs","packageName":"craftcms\/commerce","remoteId":"GHSA-pmgj-gmm4-jh6j","title":"Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting","link":"https:\/\/github.com\/advisories\/GHSA-pmgj-gmm4-jh6j","cve":"CVE-2026-29174","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pmgj-gmm4-jh6j"}]},{"advisoryId":"PKSA-c2f2-bw98-42sz","packageName":"craftcms\/commerce","remoteId":"GHSA-cfpv-rmpf-f624","title":"Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-cfpv-rmpf-f624","cve":"CVE-2026-29175","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cfpv-rmpf-f624"}]},{"advisoryId":"PKSA-9385-f9kj-gpgr","packageName":"craftcms\/commerce","remoteId":"GHSA-wj89-2385-gpx3","title":"Craft Commerce has stored XSS in Inventory Location Name","link":"https:\/\/github.com\/advisories\/GHSA-wj89-2385-gpx3","cve":"CVE-2026-29176","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2","source":"GitHub","reportedAt":"2026-03-10 18:23:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wj89-2385-gpx3"}]},{"advisoryId":"PKSA-q6pp-5z96-2bd2","packageName":"craftcms\/commerce","remoteId":"GHSA-mj32-r678-7mvp","title":"Craft Commerce has stored XSS in Craft Commerce Order Details Slideout","link":"https:\/\/github.com\/advisories\/GHSA-mj32-r678-7mvp","cve":"CVE-2026-29177","affectedVersions":"\u003E=5.0.0,\u003C=5.5.2|\u003E=4.0.0,\u003C=4.10.1","source":"GitHub","reportedAt":"2026-03-10 18:24:18","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mj32-r678-7mvp"}]},{"advisoryId":"PKSA-c2xz-ckr6-6mky","packageName":"craftcms\/commerce","remoteId":"GHSA-vff3-pqq8-4cpq","title":"Craft Commerce: Potential IDOR in Commerce carts","link":"https:\/\/github.com\/advisories\/GHSA-vff3-pqq8-4cpq","cve":"CVE-2026-31867","affectedVersions":"\u003E=4.0.0,\u003C4.11.0|\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-03-10 18:24:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vff3-pqq8-4cpq"}]}],"webonyx\/graphql-php":[{"advisoryId":"PKSA-7h5p-prw9-w5nr","packageName":"webonyx\/graphql-php","remoteId":"GHSA-68jq-c3rv-pcrr","title":"graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation","link":"https:\/\/github.com\/advisories\/GHSA-68jq-c3rv-pcrr","cve":"CVE-2026-40476","affectedVersions":"\u003C=15.31.4","source":"GitHub","reportedAt":"2026-04-14 01:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68jq-c3rv-pcrr"}]}],"rhukster\/dom-sanitizer":[{"advisoryId":"PKSA-x5pq-tgg3-vhtm","packageName":"rhukster\/dom-sanitizer","remoteId":"GHSA-93vf-569f-22cq","title":"rhukster\/dom-sanitizer: SVG \u003Cstyle\u003E tag allows CSS injection via unfiltered url() and @import directives","link":"https:\/\/github.com\/advisories\/GHSA-93vf-569f-22cq","cve":"CVE-2026-40301","affectedVersions":"\u003C1.0.10","source":"GitHub","reportedAt":"2026-04-10 21:08:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93vf-569f-22cq"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53|\u003C1.0.28","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]},{"advisoryId":"PKSA-km2b-zc3b-mjm3","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-94g3-g5v7-q4jg","title":"phpseclib\u0027s AES-CBC unpadding susceptible to padding oracle timing attack","link":"https:\/\/github.com\/advisories\/GHSA-94g3-g5v7-q4jg","cve":"CVE-2026-32935","affectedVersions":"\u003C=1.0.26|\u003E=2.0.0,\u003C=2.0.51|\u003E=3.0.0,\u003C=3.0.49","source":"GitHub","reportedAt":"2026-03-19 16:42:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-94g3-g5v7-q4jg"}]}],"redaxo\/source":[{"advisoryId":"PKSA-4w67-7bxw-yj96","packageName":"redaxo\/source","remoteId":"GHSA-m662-8jrj-cw6v","title":"REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-m662-8jrj-cw6v","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-m662-8jrj-cw6v"}]},{"advisoryId":"PKSA-ps7n-211c-nz3j","packageName":"redaxo\/source","remoteId":"GHSA-xq4j-g85q-wf97","title":"REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-xq4j-g85q-wf97","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xq4j-g85q-wf97"}]}],"kantorge\/yaffa":[{"advisoryId":"PKSA-bprf-j9w1-t7bq","packageName":"kantorge\/yaffa","remoteId":"GHSA-pq95-94c9-j987","title":"yaffa vulnerable to Cross Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-pq95-94c9-j987","cve":"CVE-2025-70844","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-04-07 18:31:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq95-94c9-j987"}]}],"laravel\/passport":[{"advisoryId":"PKSA-wc55-9qj2-7v4h","packageName":"laravel\/passport","remoteId":"GHSA-349c-2h2f-mxf6","title":"Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens","link":"https:\/\/github.com\/advisories\/GHSA-349c-2h2f-mxf6","cve":"CVE-2026-39976","affectedVersions":"\u003E=13.0.0,\u003C13.7.1","source":"GitHub","reportedAt":"2026-04-08 19:57:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-349c-2h2f-mxf6"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-qjrw-zc8d-74p2","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-9rxp-f27p-wv3h","title":"CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files","link":"https:\/\/github.com\/advisories\/GHSA-9rxp-f27p-wv3h","cve":"CVE-2026-39389","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rxp-f27p-wv3h"}]},{"advisoryId":"PKSA-znp8-d94g-vhxv","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x3hr-cp7x-44r2","title":"CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting","link":"https:\/\/github.com\/advisories\/GHSA-x3hr-cp7x-44r2","cve":"CVE-2026-39390","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x3hr-cp7x-44r2"}]},{"advisoryId":"PKSA-v96y-q2b3-cqc5","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-7cm9-v848-cfh2","title":"CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List","link":"https:\/\/github.com\/advisories\/GHSA-7cm9-v848-cfh2","cve":"CVE-2026-39391","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cm9-v848-cfh2"}]},{"advisoryId":"PKSA-9pcd-vkjt-q5hq","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fjpj-6qcq-6pw2","title":"CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-fjpj-6qcq-6pw2","cve":"CVE-2026-39392","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fjpj-6qcq-6pw2"}]},{"advisoryId":"PKSA-1wjp-gt44-q5bg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8rh5-4mvx-xj7j","title":"CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass","link":"https:\/\/github.com\/advisories\/GHSA-8rh5-4mvx-xj7j","cve":"CVE-2026-39393","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8rh5-4mvx-xj7j"}]},{"advisoryId":"PKSA-rh74-dqx1-j9wm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vfhx-5459-qhqh","title":"CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller","link":"https:\/\/github.com\/advisories\/GHSA-vfhx-5459-qhqh","cve":"CVE-2026-39394","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:16:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfhx-5459-qhqh"}]},{"advisoryId":"PKSA-2zsh-chw8-v8ty","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-5ghq-42rg-769x","title":"CI4MS: Company Information Public-Facing Page Full Platform Compromise \u0026 Full Account Takeover for All Roles \u0026 Privilege-Escalation via System Settings Company Information Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-5ghq-42rg-769x","cve":"CVE-2026-35035","affectedVersions":"\u003C=0.31.1.0","source":"GitHub","reportedAt":"2026-04-06 17:53:02","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-5ghq-42rg-769x"}]},{"advisoryId":"PKSA-m42v-jjr9-d9jw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vr2g-rhm5-q4jr","title":"CI4MS: Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-vr2g-rhm5-q4jr","cve":"CVE-2026-34989","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-03 04:00:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vr2g-rhm5-q4jr"}]},{"advisoryId":"PKSA-76s3-z1f6-2f6c","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gcfj-cf7j-vwgj","title":"CI4MS: System Settings (Social Media Management) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-gcfj-cf7j-vwgj","cve":"CVE-2026-34561","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:02:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcfj-cf7j-vwgj"}]},{"advisoryId":"PKSA-5wvv-b5q1-7q3y","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v897-c6vq-6cr3","title":"CI4MS: System Settings (Company Information) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v897-c6vq-6cr3","cve":"CVE-2026-34562","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:03:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v897-c6vq-6cr3"}]},{"advisoryId":"PKSA-htcp-qzb1-t2rb","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-85m8-g393-jcxf","title":"CI4MS: Backup Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM Blind XSS","link":"https:\/\/github.com\/advisories\/GHSA-85m8-g393-jcxf","cve":"CVE-2026-34563","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:21","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-85m8-g393-jcxf"}]},{"advisoryId":"PKSA-dscn-pm72-89xm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-g4pp-fhgf-8653","title":"CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-g4pp-fhgf-8653","cve":"CVE-2026-34564","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-g4pp-fhgf-8653"}]},{"advisoryId":"PKSA-xz64-59cc-54j6","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-xgh5-w62m-8mpr","title":"CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-xgh5-w62m-8mpr","cve":"CVE-2026-34565","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:05:45","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xgh5-w62m-8mpr"}]},{"advisoryId":"PKSA-xqh9-kym3-gzkm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-458r-h248-29c5","title":"CI4MS: Pages Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-458r-h248-29c5","cve":"CVE-2026-34566","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:28","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-458r-h248-29c5"}]},{"advisoryId":"PKSA-485k-t9tj-8z9f","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r33w-c82v-x5v7","title":"CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r33w-c82v-x5v7","cve":"CVE-2026-34567","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r33w-c82v-x5v7"}]},{"advisoryId":"PKSA-vbz6-f418-8p15","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x7wh-g25g-53vg","title":"CI4MS: Blogs Posts Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-x7wh-g25g-53vg","cve":"CVE-2026-34568","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:13","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-x7wh-g25g-53vg"}]},{"advisoryId":"PKSA-418j-5ftc-hsbw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fhrf-q333-82fm","title":"CI4MS: Blogs Categories Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-fhrf-q333-82fm","cve":"CVE-2026-34569","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fhrf-q333-82fm"}]},{"advisoryId":"PKSA-xc2p-nr46-tjxw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4vxv-4xq4-p84h","title":"CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-4vxv-4xq4-p84h","cve":"CVE-2026-34570","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:08:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4vxv-4xq4-p84h"}]},{"advisoryId":"PKSA-vgkt-cmh2-qyjg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fc4p-p49v-r948","title":"CI4MS: Stored Cross\u2011Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise","link":"https:\/\/github.com\/advisories\/GHSA-fc4p-p49v-r948","cve":"CVE-2026-34571","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:03","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fc4p-p49v-r948"}]},{"advisoryId":"PKSA-srvq-v3bs-mj79","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8fq3-c5w3-pj3q","title":"CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-8fq3-c5w3-pj3q","cve":"CVE-2026-34572","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8fq3-c5w3-pj3q"}]},{"advisoryId":"PKSA-vjzx-2b18-dktw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4333-387x-w245","title":"CI4MS: Blogs Tags Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-4333-387x-w245","cve":"CVE-2026-34559","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:53:01","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-4333-387x-w245"}]},{"advisoryId":"PKSA-9k1p-9kvd-d2db","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r4v5-rwr2-q7r4","title":"CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r4v5-rwr2-q7r4","cve":"CVE-2026-34560","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:54:27","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r4v5-rwr2-q7r4"}]},{"advisoryId":"PKSA-rqgq-p6xv-4qz8","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-rpjr-985c-qhvm","title":"CI4MS: Permissions Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-rpjr-985c-qhvm","cve":"CVE-2026-34557","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:10:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-rpjr-985c-qhvm"}]},{"advisoryId":"PKSA-r2q1-2d2k-3p65","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v77r-xg3p-75g7","title":"CI4MS: Methods Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v77r-xg3p-75g7","cve":"CVE-2026-34558","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:09:24","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-v77r-xg3p-75g7"}]},{"advisoryId":"PKSA-3cpq-nyc1-zgst","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-66m2-v9v9-95c3","title":"ci4-cms-erp\/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-66m2-v9v9-95c3","cve":"CVE-2026-27599","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-03-30 16:19:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66m2-v9v9-95c3"}]}],"feehi\/cms":[{"advisoryId":"PKSA-csfn-tqkm-331b","packageName":"feehi\/cms","remoteId":"GHSA-cvjh-88c8-2jjx","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-cvjh-88c8-2jjx","cve":"CVE-2026-31351","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvjh-88c8-2jjx"}]},{"advisoryId":"PKSA-mqjt-q7xt-ffry","packageName":"feehi\/cms","remoteId":"GHSA-hqjc-wfvx-x2fv","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module","link":"https:\/\/github.com\/advisories\/GHSA-hqjc-wfvx-x2fv","cve":"CVE-2026-31352","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqjc-wfvx-x2fv"}]},{"advisoryId":"PKSA-ws91-wc7w-vwjs","packageName":"feehi\/cms","remoteId":"GHSA-664p-j3q6-p843","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module","link":"https:\/\/github.com\/advisories\/GHSA-664p-j3q6-p843","cve":"CVE-2026-31353","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-664p-j3q6-p843"}]},{"advisoryId":"PKSA-rwph-3mr4-xjw2","packageName":"feehi\/cms","remoteId":"GHSA-xqm9-6qmm-xrqh","title":"Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module","link":"https:\/\/github.com\/advisories\/GHSA-xqm9-6qmm-xrqh","cve":"CVE-2026-31354","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xqm9-6qmm-xrqh"}]},{"advisoryId":"PKSA-tgmx-kn2c-zmk2","packageName":"feehi\/cms","remoteId":"GHSA-cgxr-v74v-g9mm","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter","link":"https:\/\/github.com\/advisories\/GHSA-cgxr-v74v-g9mm","cve":"CVE-2026-31350","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cgxr-v74v-g9mm"}]},{"advisoryId":"PKSA-ssrk-53xg-dbbn","packageName":"feehi\/cms","remoteId":"GHSA-hj9c-p59c-vqph","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-hj9c-p59c-vqph","cve":"CVE-2026-31313","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hj9c-p59c-vqph"}]}],"roundcube\/roundcubemail":[{"advisoryId":"PKSA-wjqw-j5qy-sdfr","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-rxj3-rrwm-pj4r","title":"Roundcube Webmail: Unsafe deserialization in the redis\/memcache session handler","link":"https:\/\/github.com\/advisories\/GHSA-rxj3-rrwm-pj4r","cve":"CVE-2026-35537","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rxj3-rrwm-pj4r"}]},{"advisoryId":"PKSA-764m-m66v-9t4g","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-8jr8-v43g-5c57","title":"Roundcube Webmail: Unsanitized IMAP SEARCH command arguments","link":"https:\/\/github.com\/advisories\/GHSA-8jr8-v43g-5c57","cve":"CVE-2026-35538","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8jr8-v43g-5c57"}]},{"advisoryId":"PKSA-3z5p-dc2d-4drb","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-x4q5-8j5g-hpjc","title":"Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode","link":"https:\/\/github.com\/advisories\/GHSA-x4q5-8j5g-hpjc","cve":"CVE-2026-35539","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x4q5-8j5g-hpjc"}]},{"advisoryId":"PKSA-vsf6-6r3q-jc1x","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-vxg2-hhgr-37fx","title":"Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages","link":"https:\/\/github.com\/advisories\/GHSA-vxg2-hhgr-37fx","cve":"CVE-2026-35540","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vxg2-hhgr-37fx"}]},{"advisoryId":"PKSA-5v34-b81b-ng2h","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-46pv-mj2g-93gh","title":"Roundcube Webmail: Incorrect password comparison in the password plugin","link":"https:\/\/github.com\/advisories\/GHSA-46pv-mj2g-93gh","cve":"CVE-2026-35541","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-46pv-mj2g-93gh"}]},{"advisoryId":"PKSA-kj9x-s73h-chn8","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-5hf6-crg4-fg59","title":"Roundcube: Bypass of remote image blocking via crafted BODY background attribute","link":"https:\/\/github.com\/advisories\/GHSA-5hf6-crg4-fg59","cve":"CVE-2026-35542","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hf6-crg4-fg59"}]},{"advisoryId":"PKSA-qdpg-77hy-3x5t","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-j2g6-8rvg-7mf6","title":"Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message","link":"https:\/\/github.com\/advisories\/GHSA-j2g6-8rvg-7mf6","cve":"CVE-2026-35543","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j2g6-8rvg-7mf6"}]},{"advisoryId":"PKSA-wvxn-8qzx-v8n9","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-xpqh-grpw-4xmg","title":"Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages","link":"https:\/\/github.com\/advisories\/GHSA-xpqh-grpw-4xmg","cve":"CVE-2026-35544","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xpqh-grpw-4xmg"}]},{"advisoryId":"PKSA-hnx5-g7mc-vpff","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-w846-74jr-76cv","title":"Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message","link":"https:\/\/github.com\/advisories\/GHSA-w846-74jr-76cv","cve":"CVE-2026-35545","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w846-74jr-76cv"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-398m-bjsp-p21n","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-mmm5-3g4x-qw39","title":"OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals","link":"https:\/\/github.com\/advisories\/GHSA-mmm5-3g4x-qw39","cve":"CVE-2026-35470","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 21:57:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mmm5-3g4x-qw39"}]},{"advisoryId":"PKSA-dx7q-hp3f-cn12","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-2fr7-cc4f-wh98","title":"OpenSTAManager: SQL Injection via Aggiornamenti Module","link":"https:\/\/github.com\/advisories\/GHSA-2fr7-cc4f-wh98","cve":"CVE-2026-35168","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 03:47:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fr7-cc4f-wh98"}]},{"advisoryId":"PKSA-84pv-3jy7-8y8y","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-3gw8-3mg3-jmpc","title":"OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-3gw8-3mg3-jmpc","cve":"CVE-2026-28805","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3gw8-3mg3-jmpc"}]},{"advisoryId":"PKSA-7wd8-5d3q-gt4k","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-whv5-4q2f-q68g","title":"OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2","link":"https:\/\/github.com\/advisories\/GHSA-whv5-4q2f-q68g","cve":"CVE-2026-29782","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-whv5-4q2f-q68g"}]}],"auth0\/login":[{"advisoryId":"PKSA-9fpd-p7cq-9hfg","packageName":"auth0\/login","remoteId":"GHSA-fmg6-246m-9g2v","title":"Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-fmg6-246m-9g2v","cve":null,"affectedVersions":"\u003E=7.0.0,\u003C=7.20.0","source":"GitHub","reportedAt":"2026-04-03 03:41:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fmg6-246m-9g2v"}]}],"auth0\/wordpress":[{"advisoryId":"PKSA-rbsn-2z23-mspc","packageName":"auth0\/wordpress","remoteId":"GHSA-vfpx-q664-h93m","title":"Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-vfpx-q664-h93m","cve":null,"affectedVersions":"\u003E=5.0.0-BETA0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-03 03:43:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfpx-q664-h93m"}]}],"auth0\/symfony":[{"advisoryId":"PKSA-kmxg-njz7-dx5f","packageName":"auth0\/symfony","remoteId":"GHSA-ghc5-95c2-vwcv","title":"Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-ghc5-95c2-vwcv","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C=5.7.0","source":"GitHub","reportedAt":"2026-04-03 03:44:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghc5-95c2-vwcv"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-fk9h-qz7y-fk1q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gcp9-5jc8-976x","title":"phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-gcp9-5jc8-976x","cve":"CVE-2026-34973","affectedVersions":"\u003C4.1.1","source":"GitHub","reportedAt":"2026-04-01 23:41:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcp9-5jc8-976x"}]},{"advisoryId":"PKSA-yy2b-x6vy-wsx2","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-5crx-pfhq-4hgg","title":"phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation","link":"https:\/\/github.com\/advisories\/GHSA-5crx-pfhq-4hgg","cve":"CVE-2026-34974","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 23:42:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5crx-pfhq-4hgg"}]},{"advisoryId":"PKSA-t2yv-wns1-2p5c","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-n57d-sn2t-c46g","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-38m8-xrfj-v38x","title":"phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController","link":"https:\/\/github.com\/advisories\/GHSA-38m8-xrfj-v38x","cve":"CVE-2026-34728","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-38m8-xrfj-v38x"}]},{"advisoryId":"PKSA-yq8b-v8fg-rvf8","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-cv2g-8cj8-vgc7","title":"phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()","link":"https:\/\/github.com\/advisories\/GHSA-cv2g-8cj8-vgc7","cve":"CVE-2026-34729","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:31:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cv2g-8cj8-vgc7"}]},{"advisoryId":"PKSA-25jh-4r4k-gpj5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]}],"auth0\/auth0-php":[{"advisoryId":"PKSA-3nzc-cgjr-2gwf","packageName":"auth0\/auth0-php","remoteId":"GHSA-w3wc-44p4-m4j7","title":"Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-w3wc-44p4-m4j7","cve":"CVE-2026-34236","affectedVersions":"\u003E=8.0.0,\u003C=8.18.0","source":"GitHub","reportedAt":"2026-04-01 20:29:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w3wc-44p4-m4j7"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-v42k-yy3p-gtyh","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-5724-x3rh-5qqq","title":"YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities","link":"https:\/\/github.com\/advisories\/GHSA-5724-x3rh-5qqq","cve":null,"affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:24:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5724-x3rh-5qqq"}]},{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistent Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-xdc9-2g6y-xpdf","packageName":"admidio\/admidio","remoteId":"GHSA-7fh7-8xqm-3g88","title":"Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess","link":"https:\/\/github.com\/advisories\/GHSA-7fh7-8xqm-3g88","cve":"CVE-2026-34381","affectedVersions":"\u003E=5.0.0,\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:10:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7fh7-8xqm-3g88"}]},{"advisoryId":"PKSA-rjbb-v642-bmj1","packageName":"admidio\/admidio","remoteId":"GHSA-g3mx-8jm6-rc85","title":"Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php","link":"https:\/\/github.com\/advisories\/GHSA-g3mx-8jm6-rc85","cve":"CVE-2026-34382","affectedVersions":"\u003E=5.0.0,\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:10:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3mx-8jm6-rc85"}]},{"advisoryId":"PKSA-rs6z-52fv-dzjt","packageName":"admidio\/admidio","remoteId":"GHSA-ph84-r98x-2j22","title":"Admidio has Missing CSRF Protection on Registration Approval Actions","link":"https:\/\/github.com\/advisories\/GHSA-ph84-r98x-2j22","cve":"CVE-2026-34384","affectedVersions":"\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:11:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ph84-r98x-2j22"}]},{"advisoryId":"PKSA-ksvx-vqkf-t9m4","packageName":"admidio\/admidio","remoteId":"GHSA-4rwm-c5mj-wh7x","title":"Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-4rwm-c5mj-wh7x","cve":"CVE-2026-34383","affectedVersions":"\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:11:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4rwm-c5mj-wh7x"}]},{"advisoryId":"PKSA-z3z9-x952-96sj","packageName":"admidio\/admidio","remoteId":"GHSA-95cq-p4w2-32w5","title":"File Upload(RCE) Vulnerability in admidio","link":"https:\/\/github.com\/advisories\/GHSA-95cq-p4w2-32w5","cve":"CVE-2026-32756","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:16:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-95cq-p4w2-32w5"}]},{"advisoryId":"PKSA-1wgg-nst3-ctpz","packageName":"admidio\/admidio","remoteId":"GHSA-wwg8-6ffr-h4q2","title":"Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions","link":"https:\/\/github.com\/advisories\/GHSA-wwg8-6ffr-h4q2","cve":"CVE-2026-32816","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wwg8-6ffr-h4q2"}]},{"advisoryId":"PKSA-ym3s-c4g7-mjjc","packageName":"admidio\/admidio","remoteId":"GHSA-h8gr-qwr6-m9gx","title":"Admidio is Missing CSRF Protection on Role Membership Date Changes","link":"https:\/\/github.com\/advisories\/GHSA-h8gr-qwr6-m9gx","cve":"CVE-2026-32755","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h8gr-qwr6-m9gx"}]},{"advisoryId":"PKSA-k5pv-h718-ynrx","packageName":"admidio\/admidio","remoteId":"GHSA-6j68-gcc3-mq73","title":"Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-6j68-gcc3-mq73","cve":"CVE-2026-32812","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:17:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6j68-gcc3-mq73"}]},{"advisoryId":"PKSA-stt3-wv6m-657m","packageName":"admidio\/admidio","remoteId":"GHSA-rmpj-3x5m-9m5f","title":"Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion","link":"https:\/\/github.com\/advisories\/GHSA-rmpj-3x5m-9m5f","cve":"CVE-2026-32817","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:10","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-rmpj-3x5m-9m5f"}]},{"advisoryId":"PKSA-sgr9-nmmb-pbwy","packageName":"admidio\/admidio","remoteId":"GHSA-4wr4-f2qf-x5wj","title":"Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection","link":"https:\/\/github.com\/advisories\/GHSA-4wr4-f2qf-x5wj","cve":"CVE-2026-32757","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wr4-f2qf-x5wj"}]},{"advisoryId":"PKSA-vs7x-4q3q-rbsp","packageName":"admidio\/admidio","remoteId":"GHSA-g375-5wmp-xr78","title":"Admidio is Missing Authorization on Forum Topic and Post Deletion","link":"https:\/\/github.com\/advisories\/GHSA-g375-5wmp-xr78","cve":"CVE-2026-32818","affectedVersions":"\u003E=5.0.0,\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:18:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g375-5wmp-xr78"}]},{"advisoryId":"PKSA-gmjw-r3kp-z9vp","packageName":"admidio\/admidio","remoteId":"GHSA-3x67-4c2c-w45m","title":"Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)","link":"https:\/\/github.com\/advisories\/GHSA-3x67-4c2c-w45m","cve":"CVE-2026-32813","affectedVersions":"\u003C=5.0.6","source":"GitHub","reportedAt":"2026-03-16 21:19:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3x67-4c2c-w45m"}]},{"advisoryId":"PKSA-m5mq-p62f-xpq3","packageName":"admidio\/admidio","remoteId":"GHSA-7pfv-hr63-h7cw","title":"Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter","link":"https:\/\/github.com\/advisories\/GHSA-7pfv-hr63-h7cw","cve":"CVE-2026-30927","affectedVersions":"\u003C5.0.6","source":"GitHub","reportedAt":"2026-03-09 19:45:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7pfv-hr63-h7cw"}]}],"j0k3r\/graby":[{"advisoryId":"PKSA-j5hk-b83d-1p4h","packageName":"j0k3r\/graby","remoteId":"GHSA-3h6j-9x8m-rg3g","title":"Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config","link":"https:\/\/github.com\/advisories\/GHSA-3h6j-9x8m-rg3g","cve":null,"affectedVersions":"\u003C=2.5.0","source":"GitHub","reportedAt":"2026-03-31 23:12:36","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3h6j-9x8m-rg3g"}]}],"baserproject\/basercms":[{"advisoryId":"PKSA-hd1x-n8tw-4v66","packageName":"baserproject\/basercms","remoteId":"GHSA-677c-xv24-crgx","title":"baserCMS is Vulnerable to Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-677c-xv24-crgx","cve":"CVE-2026-32734","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:52:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-677c-xv24-crgx"}]},{"advisoryId":"PKSA-kcyg-5jhp-1x3h","packageName":"baserproject\/basercms","remoteId":"GHSA-jmq3-x8q7-j9qm","title":"baserCMS has a cross-site scripting vulnerability in blog posts","link":"https:\/\/github.com\/advisories\/GHSA-jmq3-x8q7-j9qm","cve":"CVE-2026-30879","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jmq3-x8q7-j9qm"}]},{"advisoryId":"PKSA-9wbk-k4bx-zvqq","packageName":"baserproject\/basercms","remoteId":"GHSA-6hpg-8rx3-cwgv","title":"baserCMS has OS command injection vulnerability in installer","link":"https:\/\/github.com\/advisories\/GHSA-6hpg-8rx3-cwgv","cve":"CVE-2026-30880","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:31","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-6hpg-8rx3-cwgv"}]},{"advisoryId":"PKSA-6jcy-61hj-18tr","packageName":"baserproject\/basercms","remoteId":"GHSA-c5c6-37vq-pjcq","title":"baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API","link":"https:\/\/github.com\/advisories\/GHSA-c5c6-37vq-pjcq","cve":"CVE-2026-30940","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:47:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c5c6-37vq-pjcq"}]},{"advisoryId":"PKSA-1768-n8q1-3816","packageName":"baserproject\/basercms","remoteId":"GHSA-vh89-rjph-2g7p","title":"baserCMS has an SQL injection vulnerability in its blog post functionality","link":"https:\/\/github.com\/advisories\/GHSA-vh89-rjph-2g7p","cve":"CVE-2026-27697","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vh89-rjph-2g7p"}]},{"advisoryId":"PKSA-mr15-f3n3-4vy5","packageName":"baserproject\/basercms","remoteId":"GHSA-m9g7-rgfc-jcm7","title":"baserCMS Update Functionality Vulnerable to OS Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-m9g7-rgfc-jcm7","cve":"CVE-2026-30877","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:47","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-m9g7-rgfc-jcm7"}]},{"advisoryId":"PKSA-ztxq-vhtb-jhvy","packageName":"baserproject\/basercms","remoteId":"GHSA-8cr7-r8qw-gp3c","title":"baserCMS has Mail Form Acceptance Bypass via Public API","link":"https:\/\/github.com\/advisories\/GHSA-8cr7-r8qw-gp3c","cve":"CVE-2026-30878","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:36:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8cr7-r8qw-gp3c"}]},{"advisoryId":"PKSA-mrz2-4hdf-297k","packageName":"baserproject\/basercms","remoteId":"GHSA-hv78-cwp4-8r7r","title":"baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-hv78-cwp4-8r7r","cve":"CVE-2025-32957","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:22:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hv78-cwp4-8r7r"}]},{"advisoryId":"PKSA-xyh3-vpd8-cdnh","packageName":"baserproject\/basercms","remoteId":"GHSA-qxmc-6f24-g86g","title":"baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-qxmc-6f24-g86g","cve":"CVE-2026-21861","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:27:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-qxmc-6f24-g86g"}]}],"sulu\/sulu":[{"advisoryId":"PKSA-s8fv-tzzv-5y3k","packageName":"sulu\/sulu","remoteId":"GHSA-6h7h-m7p5-hjqp","title":"Sulu checks fix permissions for subentities endpoints","link":"https:\/\/github.com\/advisories\/GHSA-6h7h-m7p5-hjqp","cve":"CVE-2026-34372","affectedVersions":"\u003E=3.0.0,\u003C3.0.5|\u003E=1.0.0,\u003C2.6.22","source":"GitHub","reportedAt":"2026-03-30 18:04:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6h7h-m7p5-hjqp"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-nqgv-t4m1-732c","packageName":"getkirby\/cms","remoteId":"GHSA-cw7v-45wm-mcf2","title":"Kirby CMS has Persistent DoS via Malformed Image Upload","link":"https:\/\/github.com\/advisories\/GHSA-cw7v-45wm-mcf2","cve":"CVE-2026-29905","affectedVersions":"\u003C5.2.0-rc.1","source":"GitHub","reportedAt":"2026-03-27 22:21:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cw7v-45wm-mcf2"}]}],"aws\/aws-sdk-php":[{"advisoryId":"PKSA-4t1p-xpk2-nsss","packageName":"aws\/aws-sdk-php","remoteId":"GHSA-27qh-8cxx-2cr5","title":"AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters","link":"https:\/\/github.com\/advisories\/GHSA-27qh-8cxx-2cr5","cve":null,"affectedVersions":"\u003E=3.11.7,\u003C=3.371.3","source":"GitHub","reportedAt":"2026-03-27 19:54:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-27qh-8cxx-2cr5"}]}],"saloonphp\/saloon":[{"advisoryId":"PKSA-xnj5-w74d-6wmz","packageName":"saloonphp\/saloon","remoteId":"GHSA-rf88-776r-rcq9","title":"Saloon has insecure deserialization in AccessTokenAuthenticator","link":"https:\/\/github.com\/advisories\/GHSA-rf88-776r-rcq9","cve":"CVE-2026-33942","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-27 18:33:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rf88-776r-rcq9"}]},{"advisoryId":"PKSA-5szq-gvrg-ttfq","packageName":"saloonphp\/saloon","remoteId":"GHSA-c83f-3xp6-hfcp","title":"Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL","link":"https:\/\/github.com\/advisories\/GHSA-c83f-3xp6-hfcp","cve":"CVE-2026-33182","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-25 22:00:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c83f-3xp6-hfcp"}]},{"advisoryId":"PKSA-rnpm-45mg-w6ht","packageName":"saloonphp\/saloon","remoteId":"GHSA-f7xc-5852-fj99","title":"Saloon has a Fixture Name Path Traversal Vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-f7xc-5852-fj99","cve":"CVE-2026-33183","affectedVersions":"\u003C4.0.0","source":"GitHub","reportedAt":"2026-03-25 22:00:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7xc-5852-fj99"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-bc6q-cg7z-6rnf","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-2mfj-r695-5h9r","title":"Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php ","link":"https:\/\/github.com\/advisories\/GHSA-2mfj-r695-5h9r","cve":"CVE-2026-34036","affectedVersions":"\u003C=22.0.4","source":"GitHub","reportedAt":"2026-03-27 18:04:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mfj-r695-5h9r"}]}],"hybridauth\/hybridauth":[{"advisoryId":"PKSA-27jb-7jhc-ynjm","packageName":"hybridauth\/hybridauth","remoteId":"GHSA-r3hf-q3mf-7h6w","title":"HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client","link":"https:\/\/github.com\/advisories\/GHSA-r3hf-q3mf-7h6w","cve":"CVE-2026-4587","affectedVersions":"\u003C=3.12.2","source":"GitHub","reportedAt":"2026-03-23 15:30:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r3hf-q3mf-7h6w"}]}],"miraheze\/ts-portal":[{"advisoryId":"PKSA-7xkw-5f95-g3th","packageName":"miraheze\/ts-portal","remoteId":"GHSA-f346-8rp3-4h9h","title":"TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service","link":"https:\/\/github.com\/advisories\/GHSA-f346-8rp3-4h9h","cve":"CVE-2026-33541","affectedVersions":"\u003C=33","source":"GitHub","reportedAt":"2026-03-27 15:42:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f346-8rp3-4h9h"}]},{"advisoryId":"PKSA-95py-dkb3-3t1y","packageName":"miraheze\/ts-portal","remoteId":"GHSA-gfhq-7499-f3f2","title":"TSPortal: Any user can forge self-deletion requests for any account","link":"https:\/\/github.com\/advisories\/GHSA-gfhq-7499-f3f2","cve":"CVE-2026-29788","affectedVersions":"\u003C=29","source":"GitHub","reportedAt":"2026-03-27 15:37:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gfhq-7499-f3f2"}]}],"statamic\/cms":[{"advisoryId":"PKSA-8f4x-d8sb-16sq","packageName":"statamic\/cms","remoteId":"GHSA-cvh3-23vq-w7h4","title":"Statamic\u0027s Markdown preview endpoint exposes sensitive user data","link":"https:\/\/github.com\/advisories\/GHSA-cvh3-23vq-w7h4","cve":"CVE-2026-33882","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:03:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvh3-23vq-w7h4"}]},{"advisoryId":"PKSA-ffqw-wkbr-m6bg","packageName":"statamic\/cms","remoteId":"GHSA-3jg4-p23x-p4qx","title":"Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag","link":"https:\/\/github.com\/advisories\/GHSA-3jg4-p23x-p4qx","cve":"CVE-2026-33883","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3jg4-p23x-p4qx"}]},{"advisoryId":"PKSA-tg1h-vfwx-wzp9","packageName":"statamic\/cms","remoteId":"GHSA-8vwx-ccf6-5wg2","title":"Statamic\u0027s live preview token bypasses content protection for unrelated entries","link":"https:\/\/github.com\/advisories\/GHSA-8vwx-ccf6-5wg2","cve":"CVE-2026-33884","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8vwx-ccf6-5wg2"}]},{"advisoryId":"PKSA-3yh1-q236-qg5b","packageName":"statamic\/cms","remoteId":"GHSA-7f74-7q5w-hj4r","title":"Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential","link":"https:\/\/github.com\/advisories\/GHSA-7f74-7q5w-hj4r","cve":"CVE-2026-33885","affectedVersions":"\u003E=6.0.0.alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:05:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7f74-7q5w-hj4r"}]},{"advisoryId":"PKSA-74j5-mc2z-3jj1","packageName":"statamic\/cms","remoteId":"GHSA-gcqf-5x9f-hq7f","title":"Statamic\u0027s sensitive configuration values are exposed to content editors via Antlers-enabled fields","link":"https:\/\/github.com\/advisories\/GHSA-gcqf-5x9f-hq7f","cve":"CVE-2026-33886","affectedVersions":"\u003E=6.5.0,\u003C6.7.2|\u003E=5.73.12,\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:06:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcqf-5x9f-hq7f"}]},{"advisoryId":"PKSA-yd5q-tqxd-dxfr","packageName":"statamic\/cms","remoteId":"GHSA-4hp7-3wxg-cv9q","title":"Statamic allows unauthorized content access through missing authorization in its revision controllers ","link":"https:\/\/github.com\/advisories\/GHSA-4hp7-3wxg-cv9q","cve":"CVE-2026-33887","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-26 19:07:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4hp7-3wxg-cv9q"}]},{"advisoryId":"PKSA-4mnq-vkqt-4wqf","packageName":"statamic\/cms","remoteId":"GHSA-qm7r-wwq7-6f85","title":"Statamic has a path traversal in file dictionary fieldtype","link":"https:\/\/github.com\/advisories\/GHSA-qm7r-wwq7-6f85","cve":"CVE-2026-33171","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 20:00:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qm7r-wwq7-6f85"}]},{"advisoryId":"PKSA-ymb8-dx7z-7137","packageName":"statamic\/cms","remoteId":"GHSA-wh3h-gvc4-cc2g","title":"Statamic is missing authorization check on taxonomy term creation via fieldtype","link":"https:\/\/github.com\/advisories\/GHSA-wh3h-gvc4-cc2g","cve":"CVE-2026-33177","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 20:00:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wh3h-gvc4-cc2g"}]},{"advisoryId":"PKSA-8wnz-z9p8-kd44","packageName":"statamic\/cms","remoteId":"GHSA-7rcv-55mj-chg7","title":"Statamic has Stored XSS via SVG Sanitization Bypass","link":"https:\/\/github.com\/advisories\/GHSA-7rcv-55mj-chg7","cve":"CVE-2026-33172","affectedVersions":"\u003C5.73.14|\u003E=6.0.0-alpha.1,\u003C6.7.0","source":"GitHub","reportedAt":"2026-03-18 19:54:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7rcv-55mj-chg7"}]},{"advisoryId":"PKSA-thnk-qh3m-ttzb","packageName":"statamic\/cms","remoteId":"GHSA-hcch-w73c-jp4m","title":"Statamic vulnerable to privilege escalation via stored cross-site scripting","link":"https:\/\/github.com\/advisories\/GHSA-hcch-w73c-jp4m","cve":"CVE-2026-32612","affectedVersions":"\u003E=6.0.0,\u003C6.6.2","source":"GitHub","reportedAt":"2026-03-13 20:50:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hcch-w73c-jp4m"}]},{"advisoryId":"PKSA-skzr-by55-tmc5","packageName":"statamic\/cms","remoteId":"GHSA-cpv7-q2wx-m8rw","title":"Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs","link":"https:\/\/github.com\/advisories\/GHSA-cpv7-q2wx-m8rw","cve":"CVE-2026-28425","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.2|\u003C5.73.16","source":"GitHub","reportedAt":"2026-03-01 01:30:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cpv7-q2wx-m8rw"}]},{"advisoryId":"PKSA-w3y4-x9d3-9t28","packageName":"statamic\/cms","remoteId":"GHSA-jxq9-79vj-rgvw","title":"Statamic is vulnerable to account takeover via password reset link injection","link":"https:\/\/github.com\/advisories\/GHSA-jxq9-79vj-rgvw","cve":"CVE-2026-27593","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.7.1|\u003C5.73.10","source":"GitHub","reportedAt":"2026-02-24 21:09:23","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-jxq9-79vj-rgvw"}]}],"concrete5\/concrete5":[{"advisoryId":"PKSA-xvm3-fqgr-dzxw","packageName":"concrete5\/concrete5","remoteId":"GHSA-p68c-rmfh-j48h","title":"ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads","link":"https:\/\/github.com\/advisories\/GHSA-p68c-rmfh-j48h","cve":"CVE-2026-30662","affectedVersions":"\u003C=9.4.7","source":"GitHub","reportedAt":"2026-03-24 15:30:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p68c-rmfh-j48h"}]}],"google\/protobuf":[{"advisoryId":"PKSA-tcfz-w4fm-hhk9","packageName":"google\/protobuf","remoteId":"GHSA-p2gh-cfq4-4wjc","title":"Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion","link":"https:\/\/github.com\/advisories\/GHSA-p2gh-cfq4-4wjc","cve":null,"affectedVersions":"\u003C4.33.6","source":"GitHub","reportedAt":"2026-03-25 21:02:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p2gh-cfq4-4wjc"}]}],"code16\/sharp":[{"advisoryId":"PKSA-74vs-2hzw-xc7y","packageName":"code16\/sharp","remoteId":"GHSA-fr76-5637-w3g9","title":"Sharp has Unrestricted File Upload via Client-Controlled Validation Rules","link":"https:\/\/github.com\/advisories\/GHSA-fr76-5637-w3g9","cve":"CVE-2026-33687","affectedVersions":"\u003C9.20.0","source":"GitHub","reportedAt":"2026-03-25 20:00:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fr76-5637-w3g9"}]},{"advisoryId":"PKSA-48kw-4xx3-wpfb","packageName":"code16\/sharp","remoteId":"GHSA-9ffq-6457-8958","title":"Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil","link":"https:\/\/github.com\/advisories\/GHSA-9ffq-6457-8958","cve":"CVE-2026-33686","affectedVersions":"\u003C9.20.0","source":"GitHub","reportedAt":"2026-03-25 20:01:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9ffq-6457-8958"}]}],"mantisbt\/mantisbt":[{"advisoryId":"PKSA-snjj-r5pw-fbgn","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-73vx-49mv-v8w5","title":"MantisBT has Stored HTML Injection\/XSS when displaying Tags in Timeline","link":"https:\/\/github.com\/advisories\/GHSA-73vx-49mv-v8w5","cve":"CVE-2026-33548","affectedVersions":"=2.28.0","source":"GitHub","reportedAt":"2026-03-25 20:09:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-73vx-49mv-v8w5"}]},{"advisoryId":"PKSA-dcyg-8m67-cs7k","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-fh48-f69w-7vmp","title":"MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation","link":"https:\/\/github.com\/advisories\/GHSA-fh48-f69w-7vmp","cve":"CVE-2026-33517","affectedVersions":"=2.28.0","source":"GitHub","reportedAt":"2026-03-25 19:56:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fh48-f69w-7vmp"}]},{"advisoryId":"PKSA-cwyv-kt56-ndf5","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-phrq-pc6r-f6gh","title":"MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL","link":"https:\/\/github.com\/advisories\/GHSA-phrq-pc6r-f6gh","cve":"CVE-2026-30849","affectedVersions":"\u003C2.28.1","source":"GitHub","reportedAt":"2026-03-23 20:28:52","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-phrq-pc6r-f6gh"}]}],"prestashop\/prestashop":[{"advisoryId":"PKSA-qc2t-77k5-sq5w","packageName":"prestashop\/prestashop","remoteId":"GHSA-283w-xf3q-788v","title":"PrestaShop: Improper Use of Validation Framework","link":"https:\/\/github.com\/advisories\/GHSA-283w-xf3q-788v","cve":"CVE-2026-33674","affectedVersions":"\u003E=9.0.0-alpha.1,\u003C9.1.0|\u003C8.2.5","source":"GitHub","reportedAt":"2026-03-25 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-283w-xf3q-788v"}]},{"advisoryId":"PKSA-327m-nm79-1t19","packageName":"prestashop\/prestashop","remoteId":"GHSA-35pf-37c6-jxjv","title":"PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables","link":"https:\/\/github.com\/advisories\/GHSA-35pf-37c6-jxjv","cve":"CVE-2026-33673","affectedVersions":"\u003C8.2.5|\u003E=9.0.0-alpha.1,\u003C9.1.0","source":"GitHub","reportedAt":"2026-03-25 19:41:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-35pf-37c6-jxjv"}]}],"yansongda\/pay":[{"advisoryId":"PKSA-8dgs-n4fh-5pd5","packageName":"yansongda\/pay","remoteId":"GHSA-q938-ghwv-8gvc","title":"WeChat Pay callback signature verification bypassed when Host header is localhost","link":"https:\/\/github.com\/advisories\/GHSA-q938-ghwv-8gvc","cve":"CVE-2026-33661","affectedVersions":"\u003C=3.7.19","source":"GitHub","reportedAt":"2026-03-25 19:30:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q938-ghwv-8gvc"}]}],"invoiceninja\/invoiceninja":[{"advisoryId":"PKSA-txpv-wmxc-xy2c","packageName":"invoiceninja\/invoiceninja","remoteId":"GHSA-98wm-cxpw-847p","title":"Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items","link":"https:\/\/github.com\/advisories\/GHSA-98wm-cxpw-847p","cve":"CVE-2026-33628","affectedVersions":"\u003C5.13.4","source":"GitHub","reportedAt":"2026-03-24 20:40:16","composerRepository":null,"severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98wm-cxpw-847p"}]}],"roadiz\/documents":[{"advisoryId":"PKSA-8x28-rsr9-rfb8","packageName":"roadiz\/documents","remoteId":"GHSA-rc55-58f4-687g","title":"Roadiz has Server-Side Request Forgery (SSRF) in roadiz\/documents","link":"https:\/\/github.com\/advisories\/GHSA-rc55-58f4-687g","cve":"CVE-2026-33486","affectedVersions":"\u003C2.3.42|\u003E=2.4.0,\u003C2.5.44|\u003E=2.6.0,\u003C2.6.28|\u003E=2.7.0,\u003C2.7.9","source":"GitHub","reportedAt":"2026-03-23 21:43:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rc55-58f4-687g"}]}],"opensource-workshop\/connect-cms":[{"advisoryId":"PKSA-41bx-mcct-sk3j","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-hxqw-6qv7-cqfv","title":"Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin","link":"https:\/\/github.com\/advisories\/GHSA-hxqw-6qv7-cqfv","cve":"CVE-2026-32276","affectedVersions":"\u003E=2.0.0,\u003C2.41.1|\u003C1.41.1","source":"GitHub","reportedAt":"2026-03-23 20:33:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hxqw-6qv7-cqfv"}]},{"advisoryId":"PKSA-16v9-y28z-87sk","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-cmfh-mpmf-fmq4","title":"Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View","link":"https:\/\/github.com\/advisories\/GHSA-cmfh-mpmf-fmq4","cve":"CVE-2026-32277","affectedVersions":"\u003E=2.35.0,\u003C2.41.1|\u003E=1.35.0,\u003C1.41.1","source":"GitHub","reportedAt":"2026-03-23 20:35:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cmfh-mpmf-fmq4"}]},{"advisoryId":"PKSA-2kyx-vx1v-bbq2","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-mv3p-7p89-wq9p","title":"Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin","link":"https:\/\/github.com\/advisories\/GHSA-mv3p-7p89-wq9p","cve":"CVE-2026-32278","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:36:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mv3p-7p89-wq9p"}]},{"advisoryId":"PKSA-h93g-m9xg-91qb","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-jh46-85jr-6ph9","title":"Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin","link":"https:\/\/github.com\/advisories\/GHSA-jh46-85jr-6ph9","cve":"CVE-2026-32279","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:36:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jh46-85jr-6ph9"}]},{"advisoryId":"PKSA-cxpk-mhkk-3kqb","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-62ch-j6x7-722j","title":"Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature","link":"https:\/\/github.com\/advisories\/GHSA-62ch-j6x7-722j","cve":"CVE-2026-32299","affectedVersions":"\u003E=2.0.0,\u003C=2.40.0|\u003C=1.40.0","source":"GitHub","reportedAt":"2026-03-23 20:38:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-62ch-j6x7-722j"}]},{"advisoryId":"PKSA-mqv7-zr7q-hc9j","packageName":"opensource-workshop\/connect-cms","remoteId":"GHSA-qr6x-wvxr-8hm9","title":"Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information","link":"https:\/\/github.com\/advisories\/GHSA-qr6x-wvxr-8hm9","cve":"CVE-2026-32300","affectedVersions":"\u003E=2.0.0,\u003C=2.41.0|\u003C=1.41.0","source":"GitHub","reportedAt":"2026-03-23 20:39:10","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qr6x-wvxr-8hm9"}]}],"putyourlightson\/craft-sprig":[{"advisoryId":"PKSA-73p9-59k3-bf4z","packageName":"putyourlightson\/craft-sprig","remoteId":"GHSA-m59h-42jf-cphr","title":"Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground","link":"https:\/\/github.com\/advisories\/GHSA-m59h-42jf-cphr","cve":"CVE-2026-27131","affectedVersions":"\u003E=3.0.0,\u003C3.7.2|\u003E=2.0.0,\u003C2.15.2","source":"GitHub","reportedAt":"2026-03-23 20:25:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m59h-42jf-cphr"}]}],"dreamfactory\/df-core":[{"advisoryId":"PKSA-6vcs-hgyx-yq4f","packageName":"dreamfactory\/df-core","remoteId":"GHSA-gv7f-w92j-383q","title":"DreamFactory has a directory traversal","link":"https:\/\/github.com\/advisories\/GHSA-gv7f-w92j-383q","cve":"CVE-2025-55988","affectedVersions":"\u003C1.0.4","source":"GitHub","reportedAt":"2026-03-20 21:31:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gv7f-w92j-383q"}]}],"johnbillion\/query-monitor":[{"advisoryId":"PKSA-675z-6zmn-1gbt","packageName":"johnbillion\/query-monitor","remoteId":"GHSA-2xr4-chcf-vmvf","title":"The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI","link":"https:\/\/github.com\/advisories\/GHSA-2xr4-chcf-vmvf","cve":"CVE-2026-4267","affectedVersions":"\u003C3.20.4","source":"GitHub","reportedAt":"2026-03-19 19:37:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2xr4-chcf-vmvf"}]}],"yoast\/duplicate-post":[{"advisoryId":"PKSA-gmm7-sf5q-mmt1","packageName":"yoast\/duplicate-post","remoteId":"GHSA-g9w4-m5fx-x3wv","title":"Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite","link":"https:\/\/github.com\/advisories\/GHSA-g9w4-m5fx-x3wv","cve":"CVE-2026-1217","affectedVersions":"\u003C=4.5","source":"GitHub","reportedAt":"2026-03-18 12:31:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g9w4-m5fx-x3wv"}]}],"league\/commonmark":[{"advisoryId":"PKSA-21fb-n1x5-5nf7","packageName":"league\/commonmark","remoteId":"GHSA-hh8v-hgvp-g3f5","title":"league\/commonmark has an embed extension allowed_domains bypass","link":"https:\/\/github.com\/advisories\/GHSA-hh8v-hgvp-g3f5","cve":"CVE-2026-33347","affectedVersions":"\u003E=2.3.0,\u003C=2.8.1","source":"GitHub","reportedAt":"2026-03-19 19:04:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hh8v-hgvp-g3f5"}]},{"advisoryId":"PKSA-2cx9-ynrq-qdk3","packageName":"league\/commonmark","remoteId":"GHSA-4v6x-c7xx-hw9f","title":"CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names","link":"https:\/\/github.com\/advisories\/GHSA-4v6x-c7xx-hw9f","cve":"CVE-2026-30838","affectedVersions":"\u003E=2.0.0,\u003C=2.8.0","source":"GitHub","reportedAt":"2026-03-06 23:27:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4v6x-c7xx-hw9f"}]},{"advisoryId":"PKSA-rqc2-tcc6-nc79","packageName":"league\/commonmark","remoteId":"GHSA-3527-qv2q-pfvx","title":"league\/commonmark contains a XSS vulnerability in Attributes extension","link":"https:\/\/github.com\/advisories\/GHSA-3527-qv2q-pfvx","cve":"CVE-2025-46734","affectedVersions":"\u003E=1.5.0,\u003C2.7.0","source":"GitHub","reportedAt":"2025-05-05 20:40:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3527-qv2q-pfvx"}]}],"kelvinmo\/simplejwt":[{"advisoryId":"PKSA-njxg-bvx9-65t2","packageName":"kelvinmo\/simplejwt","remoteId":"GHSA-xw36-67f8-339x","title":"SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering","link":"https:\/\/github.com\/advisories\/GHSA-xw36-67f8-339x","cve":"CVE-2026-33204","affectedVersions":"\u003C=1.1.0","source":"GitHub","reportedAt":"2026-03-18 20:16:59","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xw36-67f8-339x"}]}],"filament\/tables":[{"advisoryId":"PKSA-5bdf-2x61-v43c","packageName":"filament\/tables","remoteId":"GHSA-vv3x-j2x5-36jc","title":"Filament Unvalidated Range and Values summarizer values can be used for XSS","link":"https:\/\/github.com\/advisories\/GHSA-vv3x-j2x5-36jc","cve":"CVE-2026-33080","affectedVersions":"\u003E=5.0.0,\u003C5.3.5|\u003E=4.0.0,\u003C4.8.5","source":"GitHub","reportedAt":"2026-03-18 20:07:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vv3x-j2x5-36jc"}]}],"cpsit\/typo3-mailqueue":[{"advisoryId":"PKSA-nq65-b886-3hc5","packageName":"cpsit\/typo3-mailqueue","remoteId":"GHSA-2pm6-9fhx-vvg3","title":"The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class","link":"https:\/\/github.com\/advisories\/GHSA-2pm6-9fhx-vvg3","cve":"CVE-2026-1323","affectedVersions":"\u003E=0.5.0,\u003C0.5.2|\u003C0.4.5","source":"GitHub","reportedAt":"2026-03-18 16:17:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2pm6-9fhx-vvg3"}]}],"ayacoo\/redirect-tab":[{"advisoryId":"PKSA-qm8d-zth2-jq36","packageName":"ayacoo\/redirect-tab","remoteId":"GHSA-755r-r738-mjgp","title":"Broken Access Control in extension \u0022Redirect Tab\u0022 (redirect_tab)","link":"https:\/\/github.com\/advisories\/GHSA-755r-r738-mjgp","cve":"CVE-2026-4202","affectedVersions":"\u003E=4.0.0,\u003C4.0.5|\u003E=3.0.0,\u003C3.1.7|\u003C2.1.2","source":"GitHub","reportedAt":"2026-03-17 09:31:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-755r-r738-mjgp"}]}],"ralffreit\/mfa-email":[{"advisoryId":"PKSA-qp7n-s4g1-wsjq","packageName":"ralffreit\/mfa-email","remoteId":"GHSA-29r8-gvx4-r9w3","title":"Authentication Bypass in extension \u0022E-Mail MFA Provider\u0022 (mfa_email)","link":"https:\/\/github.com\/advisories\/GHSA-29r8-gvx4-r9w3","cve":"CVE-2026-4208","affectedVersions":"=2.0.0|\u003C1.0.7","source":"GitHub","reportedAt":"2026-03-17 09:31:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-29r8-gvx4-r9w3"}]}],"aureuserp\/aureuserp":[{"advisoryId":"PKSA-nj38-h5v2-sqrz","packageName":"aureuserp\/aureuserp","remoteId":"GHSA-76c2-3q6g-xvpm","title":"Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler","link":"https:\/\/github.com\/advisories\/GHSA-76c2-3q6g-xvpm","cve":"CVE-2026-4175","affectedVersions":"\u003C1.3.0-BETA1","source":"GitHub","reportedAt":"2026-03-16 15:30:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-76c2-3q6g-xvpm"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-rm9w-whnt-2jgw","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-7x5c-vfhj-9628","title":"Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() ","link":"https:\/\/github.com\/advisories\/GHSA-7x5c-vfhj-9628","cve":"CVE-2026-31891","affectedVersions":"\u003C2.13.5","source":"GitHub","reportedAt":"2026-03-17 17:07:41","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7x5c-vfhj-9628"}]}],"craftcms\/azure-blob":[{"advisoryId":"PKSA-yqn3-q88t-c7wb","packageName":"craftcms\/azure-blob","remoteId":"GHSA-q6fm-p73f-x862","title":"Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-q6fm-p73f-x862","cve":"CVE-2026-32268","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.1.0","source":"GitHub","reportedAt":"2026-03-16 18:44:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q6fm-p73f-x862"}]}],"craftcms\/webhooks":[{"advisoryId":"PKSA-fnz6-639n-kpcq","packageName":"craftcms\/webhooks","remoteId":"GHSA-8wg7-wm29-2rvg","title":"RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin","link":"https:\/\/github.com\/advisories\/GHSA-8wg7-wm29-2rvg","cve":"CVE-2026-32261","affectedVersions":"\u003E=3.0.0,\u003C3.2.0","source":"GitHub","reportedAt":"2026-03-16 18:11:23","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8wg7-wm29-2rvg"}]}],"craftcms\/aws-s3":[{"advisoryId":"PKSA-7kdj-x25g-wc45","packageName":"craftcms\/aws-s3","remoteId":"GHSA-hwj7-4vgc-j3v9","title":"Amazon S3 for Craft CMS has an Information Disclosure vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-hwj7-4vgc-j3v9","cve":"CVE-2026-32265","affectedVersions":"\u003E=2.0.2,\u003C=2.2.4","source":"GitHub","reportedAt":"2026-03-16 18:13:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hwj7-4vgc-j3v9"}]}],"craftcms\/google-cloud":[{"advisoryId":"PKSA-36bt-9p2f-mcy8","packageName":"craftcms\/google-cloud","remoteId":"GHSA-67cr-jmh8-4jpq","title":"Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-67cr-jmh8-4jpq","cve":"CVE-2026-32266","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.2.0","source":"GitHub","reportedAt":"2026-03-16 18:14:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-67cr-jmh8-4jpq"}]}],"simplesamlphp\/xml-security":[{"advisoryId":"PKSA-sxbn-dpg6-6ng9","packageName":"simplesamlphp\/xml-security","remoteId":"GHSA-r353-4845-pr5p","title":"simplesamlphp\/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption","link":"https:\/\/github.com\/advisories\/GHSA-r353-4845-pr5p","cve":"CVE-2026-32600","affectedVersions":"\u003C1.13.9|\u003E=2.0.0,\u003C2.3.1","source":"GitHub","reportedAt":"2026-03-13 20:44:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r353-4845-pr5p"}]}],"robrichards\/xmlseclibs":[{"advisoryId":"PKSA-pr5h-1dpm-9x4k","packageName":"robrichards\/xmlseclibs","remoteId":"GHSA-4v26-v6cg-g6f9","title":"xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption","link":"https:\/\/github.com\/advisories\/GHSA-4v26-v6cg-g6f9","cve":"CVE-2026-32313","affectedVersions":"\u003C3.1.5","source":"GitHub","reportedAt":"2026-03-13 20:04:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4v26-v6cg-g6f9"}]}],"winter\/wn-backend-module":[{"advisoryId":"PKSA-4n8n-yrbw-13gr","packageName":"winter\/wn-backend-module","remoteId":"GHSA-pgpf-m8m4-6cg6","title":"Winter vulnerable to privilege escalation by authenticated backend users","link":"https:\/\/github.com\/advisories\/GHSA-pgpf-m8m4-6cg6","cve":"CVE-2026-27591","affectedVersions":"\u003C1.0.477|\u003E=1.1.0,\u003C1.1.12|\u003E=1.2.0,\u003C1.2.12","source":"GitHub","reportedAt":"2026-03-12 14:07:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-pgpf-m8m4-6cg6"}]}],"limesurvey\/limesurvey":[{"advisoryId":"PKSA-g7yy-kkwv-8pkt","packageName":"limesurvey\/limesurvey","remoteId":"GHSA-rccq-2fxq-7x3h","title":"LimeSurvey is vulnerable to SQL injection","link":"https:\/\/github.com\/advisories\/GHSA-rccq-2fxq-7x3h","cve":"CVE-2025-56421","affectedVersions":"\u003C6.15.4","source":"GitHub","reportedAt":"2026-03-10 18:31:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rccq-2fxq-7x3h"}]}],"shopware\/platform":[{"advisoryId":"PKSA-bwqq-zb6b-g5dh","packageName":"shopware\/platform","remoteId":"GHSA-7vvp-j573-5584","title":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint","link":"https:\/\/github.com\/advisories\/GHSA-7vvp-j573-5584","cve":"CVE-2026-31887","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7vvp-j573-5584"}]},{"advisoryId":"PKSA-8zg6-v85t-wcz3","packageName":"shopware\/platform","remoteId":"GHSA-gqc5-xv7m-gcjq","title":"Shopware has user enumeration via distinct error codes on Store API login endpoint","link":"https:\/\/github.com\/advisories\/GHSA-gqc5-xv7m-gcjq","cve":"CVE-2026-31888","affectedVersions":"\u003C6.6.10.14|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gqc5-xv7m-gcjq"}]},{"advisoryId":"PKSA-qj2q-c8sp-3qyg","packageName":"shopware\/platform","remoteId":"GHSA-c4p7-rwrg-pf6p","title":"Shopware vulnerable to a potential take over of app credentials","link":"https:\/\/github.com\/advisories\/GHSA-c4p7-rwrg-pf6p","cve":"CVE-2026-31889","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:24:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c4p7-rwrg-pf6p"}]}],"shopware\/core":[{"advisoryId":"PKSA-1d39-xhww-sgwf","packageName":"shopware\/core","remoteId":"GHSA-7vvp-j573-5584","title":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint","link":"https:\/\/github.com\/advisories\/GHSA-7vvp-j573-5584","cve":"CVE-2026-31887","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7vvp-j573-5584"}]},{"advisoryId":"PKSA-cck7-yytv-pqc6","packageName":"shopware\/core","remoteId":"GHSA-gqc5-xv7m-gcjq","title":"Shopware has user enumeration via distinct error codes on Store API login endpoint","link":"https:\/\/github.com\/advisories\/GHSA-gqc5-xv7m-gcjq","cve":"CVE-2026-31888","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:23:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gqc5-xv7m-gcjq"}]},{"advisoryId":"PKSA-fyfg-936j-xtjc","packageName":"shopware\/core","remoteId":"GHSA-c4p7-rwrg-pf6p","title":"Shopware vulnerable to a potential take over of app credentials","link":"https:\/\/github.com\/advisories\/GHSA-c4p7-rwrg-pf6p","cve":"CVE-2026-31889","affectedVersions":"\u003C6.6.10.15|\u003E=6.7.0.0,\u003C6.7.8.1","source":"GitHub","reportedAt":"2026-03-11 19:24:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c4p7-rwrg-pf6p"}]}],"sylius\/sylius":[{"advisoryId":"PKSA-6vgh-6nsj-96p4","packageName":"sylius\/sylius","remoteId":"GHSA-9ffx-f77r-756w","title":"Sylius has an Open Redirect via Referer Header","link":"https:\/\/github.com\/advisories\/GHSA-9ffx-f77r-756w","cve":"CVE-2026-31819","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:12:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9ffx-f77r-756w"}]},{"advisoryId":"PKSA-x831-kfr2-97xs","packageName":"sylius\/sylius","remoteId":"GHSA-2xc6-348p-c2x6","title":"Sylius affected by IDOR in Cart and Checkout LiveComponents","link":"https:\/\/github.com\/advisories\/GHSA-2xc6-348p-c2x6","cve":"CVE-2026-31820","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:12:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2xc6-348p-c2x6"}]},{"advisoryId":"PKSA-mmpz-f966-fz1y","packageName":"sylius\/sylius","remoteId":"GHSA-wjmg-4cq5-m8hg","title":"Sylius is Missing Authorization in API v2 Add Item Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-wjmg-4cq5-m8hg","cve":"CVE-2026-31821","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:12:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wjmg-4cq5-m8hg"}]},{"advisoryId":"PKSA-n7z6-xgmt-1wzb","packageName":"sylius\/sylius","remoteId":"GHSA-vgh8-c6fp-7gcg","title":"Sylius has a XSS vulnerability in checkout login form","link":"https:\/\/github.com\/advisories\/GHSA-vgh8-c6fp-7gcg","cve":"CVE-2026-31822","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:13:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vgh8-c6fp-7gcg"}]},{"advisoryId":"PKSA-w86z-tc6z-1np1","packageName":"sylius\/sylius","remoteId":"GHSA-mx4q-xxc9-pf5q","title":"Sylius Vulnerable to Authenticated Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-mx4q-xxc9-pf5q","cve":"CVE-2026-31823","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15","source":"GitHub","reportedAt":"2026-03-11 00:13:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mx4q-xxc9-pf5q"}]},{"advisoryId":"PKSA-xqwf-3qbb-njd6","packageName":"sylius\/sylius","remoteId":"GHSA-7mp4-25j8-hp5q","title":"Sylius has a Promotion Usage Limit Bypass via Race Condition","link":"https:\/\/github.com\/advisories\/GHSA-7mp4-25j8-hp5q","cve":"CVE-2026-31824","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:13:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7mp4-25j8-hp5q"}]},{"advisoryId":"PKSA-6fr5-nks6-h5j2","packageName":"sylius\/sylius","remoteId":"GHSA-xcwx-r2gw-w93m","title":"Sylius has a DQL Injection via API Order Filters","link":"https:\/\/github.com\/advisories\/GHSA-xcwx-r2gw-w93m","cve":"CVE-2026-31825","affectedVersions":"\u003E=2.2.0,\u003C=2.2.2|\u003E=2.1.0,\u003C=2.1.11|\u003E=2.0.0,\u003C=2.0.15|\u003E=1.14.0,\u003C=1.14.17|\u003E=1.13.0,\u003C=1.13.14|\u003E=1.12.0,\u003C=1.12.22|\u003E=1.11.0,\u003C=1.11.16|\u003E=1.10.0,\u003C=1.10.15|\u003C=1.9.11","source":"GitHub","reportedAt":"2026-03-11 00:13:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xcwx-r2gw-w93m"}]},{"advisoryId":"PKSA-b1q1-2jf6-pqt9","packageName":"sylius\/sylius","remoteId":"GHSA-55rf-8q29-4g43","title":"Sylius has a security vulnerability via adjustments API endpoint","link":"https:\/\/github.com\/advisories\/GHSA-55rf-8q29-4g43","cve":"CVE-2024-40633","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C=1.11.16|\u003E=1.10.0-alpha.1,\u003C=1.10.15|\u003C1.9.12|\u003E=1.12.0-alpha.1,\u003C1.12.19|\u003E=1.13.0-alpha.1,\u003C1.13.4","source":"GitHub","reportedAt":"2024-07-17 14:32:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55rf-8q29-4g43"}]},{"advisoryId":"PKSA-dg69-7wty-b2d6","packageName":"sylius\/sylius","remoteId":"GHSA-v2f9-rv6w-vw8r","title":"Sylius potentially vulnerable to Cross Site Scripting via \u0022Name\u0022 field (Taxons, Products, Options, Variants) in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-v2f9-rv6w-vw8r","cve":"CVE-2024-34349","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C1.11.17|\u003E=1.10.0-alpha.1,\u003C1.10.16|\u003C1.9.12|\u003E=1.13.0-alpha.1,\u003C1.13.1|\u003E=1.12.0-alpha.1,\u003C1.12.16","source":"GitHub","reportedAt":"2024-05-10 15:33:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v2f9-rv6w-vw8r"}]},{"advisoryId":"PKSA-nsc4-mbdg-1r18","packageName":"sylius\/sylius","remoteId":"GHSA-7prj-9ccr-hr3q","title":"Sylius has potential Cross Site Scripting vulnerability via the \u0022Province\u0022 field in the Checkout and Address Book","link":"https:\/\/github.com\/advisories\/GHSA-7prj-9ccr-hr3q","cve":"CVE-2024-29376","affectedVersions":"\u003E=1.11.0-alpha.1,\u003C1.11.17|\u003E=1.10.0-alpha.1,\u003C1.10.16|\u003C1.9.12|\u003E=1.13.0-alpha.1,\u003C1.13.1|\u003E=1.12.0-alpha.1,\u003C1.12.16","source":"GitHub","reportedAt":"2024-05-10 15:33:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7prj-9ccr-hr3q"}]}],"wpmetabox\/meta-box":[{"advisoryId":"PKSA-s98v-q9gv-s2bz","packageName":"wpmetabox\/meta-box","remoteId":"GHSA-m4q3-832v-44j6","title":"Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file","link":"https:\/\/github.com\/advisories\/GHSA-m4q3-832v-44j6","cve":"CVE-2025-14675","affectedVersions":"\u003C5.11.2","source":"GitHub","reportedAt":"2026-03-07 09:30:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-m4q3-832v-44j6"}]}],"web-auth\/webauthn-framework":[{"advisoryId":"PKSA-1sct-n8q3-hf7r","packageName":"web-auth\/webauthn-framework","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"web-auth\/webauthn-lib":[{"advisoryId":"PKSA-n72g-8zd8-6dm2","packageName":"web-auth\/webauthn-lib","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"web-auth\/webauthn-symfony-bundle":[{"advisoryId":"PKSA-mvry-7c68-swp2","packageName":"web-auth\/webauthn-symfony-bundle","remoteId":"GHSA-f7pm-6hr8-7ggm","title":"Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation","link":"https:\/\/github.com\/advisories\/GHSA-f7pm-6hr8-7ggm","cve":"CVE-2026-30964","affectedVersions":"\u003E=5.2.0,\u003C5.2.4","source":"GitHub","reportedAt":"2026-03-10 01:19:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f7pm-6hr8-7ggm"}]}],"flarum\/nicknames":[{"advisoryId":"PKSA-661s-dgrr-6b19","packageName":"flarum\/nicknames","remoteId":"GHSA-3c4m-j3g4-hh25","title":"flarum\/nicknames extension has display name injection in notification emails (autolink \u0026 markdown)","link":"https:\/\/github.com\/advisories\/GHSA-3c4m-j3g4-hh25","cve":"CVE-2026-30913","affectedVersions":"\u003C1.8.3","source":"GitHub","reportedAt":"2026-03-10 00:56:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3c4m-j3g4-hh25"}]}],"azuracast\/azuracast":[{"advisoryId":"PKSA-p9gy-8v98-hsfy","packageName":"azuracast\/azuracast","remoteId":"GHSA-93fx-5qgc-wr38","title":"AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs","link":"https:\/\/github.com\/advisories\/GHSA-93fx-5qgc-wr38","cve":null,"affectedVersions":"\u003C=0.23.3","source":"GitHub","reportedAt":"2026-03-09 19:55:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-93fx-5qgc-wr38"}]}],"components\/jquery":[{"advisoryId":"PKSA-jvpv-pcrn-dfzc","packageName":"components\/jquery","remoteId":"GHSA-gxr4-xjj5-5px2","title":"Potential XSS vulnerability in jQuery","link":"https:\/\/github.com\/advisories\/GHSA-gxr4-xjj5-5px2","cve":"CVE-2020-11022","affectedVersions":"\u003E=1.12.0,\u003C3.5.0","source":"GitHub","reportedAt":"2020-04-29 22:18:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gxr4-xjj5-5px2"}]}]}}