{"advisories":{"wwbn\/avideo":[{"advisoryId":"PKSA-6czf-bc7p-h4k6","packageName":"wwbn\/avideo","remoteId":"GHSA-4q27-4rrq-fx95","title":"AVideo: CSRF on Player Skin Configuration via admin\/playerUpdate.json.php","link":"https:\/\/github.com\/advisories\/GHSA-4q27-4rrq-fx95","cve":"CVE-2026-35181","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4q27-4rrq-fx95"}]},{"advisoryId":"PKSA-9kdr-v9xz-q97d","packageName":"wwbn\/avideo","remoteId":"GHSA-x9w5-xccw-5h9w","title":"AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php","link":"https:\/\/github.com\/advisories\/GHSA-x9w5-xccw-5h9w","cve":"CVE-2026-35179","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:33:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x9w5-xccw-5h9w"}]},{"advisoryId":"PKSA-h129-dyyg-hqpq","packageName":"wwbn\/avideo","remoteId":"GHSA-gmpc-fxg2-vcmq","title":"AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin","link":"https:\/\/github.com\/advisories\/GHSA-gmpc-fxg2-vcmq","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 23:25:11","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gmpc-fxg2-vcmq"}]},{"advisoryId":"PKSA-nbcf-22q2-3259","packageName":"wwbn\/avideo","remoteId":"GHSA-4jcg-jxpf-5vq3","title":"AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php","link":"https:\/\/github.com\/advisories\/GHSA-4jcg-jxpf-5vq3","cve":"CVE-2026-34731","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:04:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jcg-jxpf-5vq3"}]},{"advisoryId":"PKSA-mshg-1d1p-db19","packageName":"wwbn\/avideo","remoteId":"GHSA-g2mg-cgr6-vmv7","title":"AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-g2mg-cgr6-vmv7","cve":"CVE-2026-34732","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:05:59","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g2mg-cgr6-vmv7"}]},{"advisoryId":"PKSA-tjqt-v3v3-pg6b","packageName":"wwbn\/avideo","remoteId":"GHSA-wwpw-hrx8-79r5","title":"AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard","link":"https:\/\/github.com\/advisories\/GHSA-wwpw-hrx8-79r5","cve":"CVE-2026-34733","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wwpw-hrx8-79r5"}]},{"advisoryId":"PKSA-jw1r-58j1-stm1","packageName":"wwbn\/avideo","remoteId":"GHSA-38rh-4v39-vfxv","title":"AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug","link":"https:\/\/github.com\/advisories\/GHSA-38rh-4v39-vfxv","cve":"CVE-2026-34737","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:06:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-38rh-4v39-vfxv"}]},{"advisoryId":"PKSA-4yg6-hdf3-cm7q","packageName":"wwbn\/avideo","remoteId":"GHSA-m577-w9j8-ch7j","title":"AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter","link":"https:\/\/github.com\/advisories\/GHSA-m577-w9j8-ch7j","cve":"CVE-2026-34738","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:07:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m577-w9j8-ch7j"}]},{"advisoryId":"PKSA-trzy-nkyc-3bq1","packageName":"wwbn\/avideo","remoteId":"GHSA-jqrj-chh6-8h78","title":"AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php","link":"https:\/\/github.com\/advisories\/GHSA-jqrj-chh6-8h78","cve":"CVE-2026-34739","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jqrj-chh6-8h78"}]},{"advisoryId":"PKSA-v4v4-994j-g46x","packageName":"wwbn\/avideo","remoteId":"GHSA-x5vx-vrpf-r45f","title":"AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation","link":"https:\/\/github.com\/advisories\/GHSA-x5vx-vrpf-r45f","cve":"CVE-2026-34740","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 21:08:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x5vx-vrpf-r45f"}]},{"advisoryId":"PKSA-bppj-bwtk-gjyq","packageName":"wwbn\/avideo","remoteId":"GHSA-hqxf-mhfw-rc44","title":"AVideo: CSRF on Plugin Enable\/Disable Endpoint Allows Disabling Security Plugins","link":"https:\/\/github.com\/advisories\/GHSA-hqxf-mhfw-rc44","cve":"CVE-2026-34613","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqxf-mhfw-rc44"}]},{"advisoryId":"PKSA-nph7-q1m2-1jj5","packageName":"wwbn\/avideo","remoteId":"GHSA-w4hp-w536-jg64","title":"AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification","link":"https:\/\/github.com\/advisories\/GHSA-w4hp-w536-jg64","cve":"CVE-2026-34716","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:54:51","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w4hp-w536-jg64"}]},{"advisoryId":"PKSA-zmm3-dkmp-577r","packageName":"wwbn\/avideo","remoteId":"GHSA-c4xj-x7p8-3x7q","title":"AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users","link":"https:\/\/github.com\/advisories\/GHSA-c4xj-x7p8-3x7q","cve":"CVE-2026-34611","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-01 20:48:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c4xj-x7p8-3x7q"}]},{"advisoryId":"PKSA-9wd9-hqm1-g8vw","packageName":"wwbn\/avideo","remoteId":"GHSA-77jp-mgcw-rfmr","title":"AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php","link":"https:\/\/github.com\/advisories\/GHSA-77jp-mgcw-rfmr","cve":"CVE-2026-34395","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:21:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-77jp-mgcw-rfmr"}]},{"advisoryId":"PKSA-8d8v-tnwh-mvxd","packageName":"wwbn\/avideo","remoteId":"GHSA-v4h7-3x43-qqw4","title":"AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-v4h7-3x43-qqw4","cve":"CVE-2026-34396","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v4h7-3x43-qqw4"}]},{"advisoryId":"PKSA-sgq7-y46w-x6wm","packageName":"wwbn\/avideo","remoteId":"GHSA-4wwr-7h7c-chqr","title":"AVideo\u0027s CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-4wwr-7h7c-chqr","cve":"CVE-2026-34394","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-31 23:15:25","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4wwr-7h7c-chqr"}]},{"advisoryId":"PKSA-jgsk-3v13-mp5q","packageName":"wwbn\/avideo","remoteId":"GHSA-q6jj-r49p-94fh","title":"AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification","link":"https:\/\/github.com\/advisories\/GHSA-q6jj-r49p-94fh","cve":"CVE-2026-34369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:03:26","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q6jj-r49p-94fh"}]},{"advisoryId":"PKSA-vp5k-2k3q-kh8x","packageName":"wwbn\/avideo","remoteId":"GHSA-pm37-62g7-p768","title":"AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page","link":"https:\/\/github.com\/advisories\/GHSA-pm37-62g7-p768","cve":"CVE-2026-34375","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 18:08:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm37-62g7-p768"}]},{"advisoryId":"PKSA-r7hg-81sr-ph3s","packageName":"wwbn\/avideo","remoteId":"GHSA-h54m-c522-h6qr","title":"AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance","link":"https:\/\/github.com\/advisories\/GHSA-h54m-c522-h6qr","cve":"CVE-2026-34368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:51:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h54m-c522-h6qr"}]},{"advisoryId":"PKSA-zrqg-465j-tm13","packageName":"wwbn\/avideo","remoteId":"GHSA-73gr-r64q-7jh4","title":"AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php","link":"https:\/\/github.com\/advisories\/GHSA-73gr-r64q-7jh4","cve":"CVE-2026-34364","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:49:57","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-73gr-r64q-7jh4"}]},{"advisoryId":"PKSA-3yrj-j1ff-gsp4","packageName":"wwbn\/avideo","remoteId":"GHSA-2mg4-pfgx-64cf","title":"AVideo\u0027s WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()","link":"https:\/\/github.com\/advisories\/GHSA-2mg4-pfgx-64cf","cve":"CVE-2026-34362","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-30 17:35:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2mg4-pfgx-64cf"}]},{"advisoryId":"PKSA-mhr2-p9hx-xy4j","packageName":"wwbn\/avideo","remoteId":"GHSA-wprj-9cvc-5w37","title":"AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records","link":"https:\/\/github.com\/advisories\/GHSA-wprj-9cvc-5w37","cve":null,"affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:40:52","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-wprj-9cvc-5w37"}]},{"advisoryId":"PKSA-fw58-yv1p-mjjv","packageName":"wwbn\/avideo","remoteId":"GHSA-2rm7-j397-3fqg","title":"AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking","link":"https:\/\/github.com\/advisories\/GHSA-2rm7-j397-3fqg","cve":"CVE-2026-34245","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2rm7-j397-3fqg"}]},{"advisoryId":"PKSA-6jcq-63hk-b922","packageName":"wwbn\/avideo","remoteId":"GHSA-g3hj-mf85-679g","title":"AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications","link":"https:\/\/github.com\/advisories\/GHSA-g3hj-mf85-679g","cve":"CVE-2026-34247","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-29 15:41:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3hj-mf85-679g"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-398m-bjsp-p21n","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-mmm5-3g4x-qw39","title":"OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals","link":"https:\/\/github.com\/advisories\/GHSA-mmm5-3g4x-qw39","cve":"CVE-2026-35470","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 21:57:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mmm5-3g4x-qw39"}]},{"advisoryId":"PKSA-dx7q-hp3f-cn12","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-2fr7-cc4f-wh98","title":"OpenSTAManager: SQL Injection via Aggiornamenti Module","link":"https:\/\/github.com\/advisories\/GHSA-2fr7-cc4f-wh98","cve":"CVE-2026-35168","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 03:47:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fr7-cc4f-wh98"}]},{"advisoryId":"PKSA-84pv-3jy7-8y8y","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-3gw8-3mg3-jmpc","title":"OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-3gw8-3mg3-jmpc","cve":"CVE-2026-28805","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3gw8-3mg3-jmpc"}]},{"advisoryId":"PKSA-7wd8-5d3q-gt4k","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-whv5-4q2f-q68g","title":"OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2","link":"https:\/\/github.com\/advisories\/GHSA-whv5-4q2f-q68g","cve":"CVE-2026-29782","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-01 19:46:50","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-whv5-4q2f-q68g"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-m42v-jjr9-d9jw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vr2g-rhm5-q4jr","title":"CI4MS: Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-vr2g-rhm5-q4jr","cve":"CVE-2026-34989","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-03 04:00:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vr2g-rhm5-q4jr"}]},{"advisoryId":"PKSA-76s3-z1f6-2f6c","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gcfj-cf7j-vwgj","title":"CI4MS: System Settings (Social Media Management) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-gcfj-cf7j-vwgj","cve":"CVE-2026-34561","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:02:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcfj-cf7j-vwgj"}]},{"advisoryId":"PKSA-5wvv-b5q1-7q3y","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v897-c6vq-6cr3","title":"CI4MS: System Settings (Company Information) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v897-c6vq-6cr3","cve":"CVE-2026-34562","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:03:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v897-c6vq-6cr3"}]},{"advisoryId":"PKSA-htcp-qzb1-t2rb","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-85m8-g393-jcxf","title":"CI4MS: Backup Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM Blind XSS","link":"https:\/\/github.com\/advisories\/GHSA-85m8-g393-jcxf","cve":"CVE-2026-34563","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:21","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-85m8-g393-jcxf"}]},{"advisoryId":"PKSA-dscn-pm72-89xm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-g4pp-fhgf-8653","title":"CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-g4pp-fhgf-8653","cve":"CVE-2026-34564","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:04:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-g4pp-fhgf-8653"}]},{"advisoryId":"PKSA-xz64-59cc-54j6","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-xgh5-w62m-8mpr","title":"CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-xgh5-w62m-8mpr","cve":"CVE-2026-34565","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:05:45","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xgh5-w62m-8mpr"}]},{"advisoryId":"PKSA-xqh9-kym3-gzkm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-458r-h248-29c5","title":"CI4MS: Pages Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-458r-h248-29c5","cve":"CVE-2026-34566","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:28","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-458r-h248-29c5"}]},{"advisoryId":"PKSA-485k-t9tj-8z9f","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r33w-c82v-x5v7","title":"CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r33w-c82v-x5v7","cve":"CVE-2026-34567","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:06:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r33w-c82v-x5v7"}]},{"advisoryId":"PKSA-vbz6-f418-8p15","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x7wh-g25g-53vg","title":"CI4MS: Blogs Posts Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-x7wh-g25g-53vg","cve":"CVE-2026-34568","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:13","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-x7wh-g25g-53vg"}]},{"advisoryId":"PKSA-418j-5ftc-hsbw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fhrf-q333-82fm","title":"CI4MS: Blogs Categories Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-fhrf-q333-82fm","cve":"CVE-2026-34569","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:07:37","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fhrf-q333-82fm"}]},{"advisoryId":"PKSA-xc2p-nr46-tjxw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4vxv-4xq4-p84h","title":"CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-4vxv-4xq4-p84h","cve":"CVE-2026-34570","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:08:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4vxv-4xq4-p84h"}]},{"advisoryId":"PKSA-vgkt-cmh2-qyjg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fc4p-p49v-r948","title":"CI4MS: Stored Cross\u2011Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise","link":"https:\/\/github.com\/advisories\/GHSA-fc4p-p49v-r948","cve":"CVE-2026-34571","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:03","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fc4p-p49v-r948"}]},{"advisoryId":"PKSA-srvq-v3bs-mj79","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8fq3-c5w3-pj3q","title":"CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)","link":"https:\/\/github.com\/advisories\/GHSA-8fq3-c5w3-pj3q","cve":"CVE-2026-34572","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:09:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8fq3-c5w3-pj3q"}]},{"advisoryId":"PKSA-vjzx-2b18-dktw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-4333-387x-w245","title":"CI4MS: Blogs Tags Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-4333-387x-w245","cve":"CVE-2026-34559","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:53:01","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-4333-387x-w245"}]},{"advisoryId":"PKSA-9k1p-9kvd-d2db","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-r4v5-rwr2-q7r4","title":"CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-r4v5-rwr2-q7r4","cve":"CVE-2026-34560","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 21:54:27","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-r4v5-rwr2-q7r4"}]},{"advisoryId":"PKSA-rqgq-p6xv-4qz8","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-rpjr-985c-qhvm","title":"CI4MS: Permissions Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-rpjr-985c-qhvm","cve":"CVE-2026-34557","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:10:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-rpjr-985c-qhvm"}]},{"advisoryId":"PKSA-r2q1-2d2k-3p65","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-v77r-xg3p-75g7","title":"CI4MS: Methods Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-v77r-xg3p-75g7","cve":"CVE-2026-34558","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 00:09:24","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-v77r-xg3p-75g7"}]},{"advisoryId":"PKSA-3cpq-nyc1-zgst","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-66m2-v9v9-95c3","title":"ci4-cms-erp\/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-66m2-v9v9-95c3","cve":"CVE-2026-27599","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-03-30 16:19:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-66m2-v9v9-95c3"}]}],"auth0\/login":[{"advisoryId":"PKSA-9fpd-p7cq-9hfg","packageName":"auth0\/login","remoteId":"GHSA-fmg6-246m-9g2v","title":"Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-fmg6-246m-9g2v","cve":null,"affectedVersions":"\u003E=7.0.0,\u003C=7.20.0","source":"GitHub","reportedAt":"2026-04-03 03:41:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fmg6-246m-9g2v"}]}],"auth0\/wordpress":[{"advisoryId":"PKSA-rbsn-2z23-mspc","packageName":"auth0\/wordpress","remoteId":"GHSA-vfpx-q664-h93m","title":"Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-vfpx-q664-h93m","cve":null,"affectedVersions":"\u003E=5.0.0-BETA0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-03 03:43:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfpx-q664-h93m"}]}],"auth0\/symfony":[{"advisoryId":"PKSA-kmxg-njz7-dx5f","packageName":"auth0\/symfony","remoteId":"GHSA-ghc5-95c2-vwcv","title":"Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-ghc5-95c2-vwcv","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C=5.7.0","source":"GitHub","reportedAt":"2026-04-03 03:44:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghc5-95c2-vwcv"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-fk9h-qz7y-fk1q","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gcp9-5jc8-976x","title":"phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-gcp9-5jc8-976x","cve":"CVE-2026-34973","affectedVersions":"\u003C4.1.1","source":"GitHub","reportedAt":"2026-04-01 23:41:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcp9-5jc8-976x"}]},{"advisoryId":"PKSA-yy2b-x6vy-wsx2","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-5crx-pfhq-4hgg","title":"phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation","link":"https:\/\/github.com\/advisories\/GHSA-5crx-pfhq-4hgg","cve":"CVE-2026-34974","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 23:42:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5crx-pfhq-4hgg"}]},{"advisoryId":"PKSA-t2yv-wns1-2p5c","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-n57d-sn2t-c46g","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-38m8-xrfj-v38x","title":"phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController","link":"https:\/\/github.com\/advisories\/GHSA-38m8-xrfj-v38x","cve":"CVE-2026-34728","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-38m8-xrfj-v38x"}]},{"advisoryId":"PKSA-yq8b-v8fg-rvf8","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-cv2g-8cj8-vgc7","title":"phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()","link":"https:\/\/github.com\/advisories\/GHSA-cv2g-8cj8-vgc7","cve":"CVE-2026-34729","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-04-01 22:31:44","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cv2g-8cj8-vgc7"}]},{"advisoryId":"PKSA-25jh-4r4k-gpj5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-98gw-w575-h2ph","title":"phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor","link":"https:\/\/github.com\/advisories\/GHSA-98gw-w575-h2ph","cve":"CVE-2026-32629","affectedVersions":"\u003C=4.1.0","source":"GitHub","reportedAt":"2026-03-31 22:48:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-98gw-w575-h2ph"}]}],"auth0\/auth0-php":[{"advisoryId":"PKSA-3nzc-cgjr-2gwf","packageName":"auth0\/auth0-php","remoteId":"GHSA-w3wc-44p4-m4j7","title":"Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-w3wc-44p4-m4j7","cve":"CVE-2026-34236","affectedVersions":"\u003E=8.0.0,\u003C=8.18.0","source":"GitHub","reportedAt":"2026-04-01 20:29:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w3wc-44p4-m4j7"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-v42k-yy3p-gtyh","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-5724-x3rh-5qqq","title":"YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities","link":"https:\/\/github.com\/advisories\/GHSA-5724-x3rh-5qqq","cve":null,"affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:24:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5724-x3rh-5qqq"}]},{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistant Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-xdc9-2g6y-xpdf","packageName":"admidio\/admidio","remoteId":"GHSA-7fh7-8xqm-3g88","title":"Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess","link":"https:\/\/github.com\/advisories\/GHSA-7fh7-8xqm-3g88","cve":"CVE-2026-34381","affectedVersions":"\u003E=5.0.0,\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:10:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7fh7-8xqm-3g88"}]},{"advisoryId":"PKSA-rjbb-v642-bmj1","packageName":"admidio\/admidio","remoteId":"GHSA-g3mx-8jm6-rc85","title":"Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php","link":"https:\/\/github.com\/advisories\/GHSA-g3mx-8jm6-rc85","cve":"CVE-2026-34382","affectedVersions":"\u003E=5.0.0,\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:10:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g3mx-8jm6-rc85"}]},{"advisoryId":"PKSA-rs6z-52fv-dzjt","packageName":"admidio\/admidio","remoteId":"GHSA-ph84-r98x-2j22","title":"Admidio has Missing CSRF Protection on Registration Approval Actions","link":"https:\/\/github.com\/advisories\/GHSA-ph84-r98x-2j22","cve":"CVE-2026-34384","affectedVersions":"\u003C5.0.8","source":"GitHub","reportedAt":"2026-03-31 23:11:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ph84-r98x-2j22"}]},{"advisoryId":"PKSA-ksvx-vqkf-t9m4","packageName":"admidio\/admidio","remoteId":"GHSA-4rwm-c5mj-wh7x","title":"Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter","link":"https:\/\/github.com\/advisories\/GHSA-4rwm-c5mj-wh7x","cve":"CVE-2026-34383","affectedVersions":"\u003C=5.0.7","source":"GitHub","reportedAt":"2026-03-31 23:11:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4rwm-c5mj-wh7x"}]}],"j0k3r\/graby":[{"advisoryId":"PKSA-j5hk-b83d-1p4h","packageName":"j0k3r\/graby","remoteId":"GHSA-3h6j-9x8m-rg3g","title":"Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config","link":"https:\/\/github.com\/advisories\/GHSA-3h6j-9x8m-rg3g","cve":null,"affectedVersions":"\u003C=2.5.0","source":"GitHub","reportedAt":"2026-03-31 23:12:36","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3h6j-9x8m-rg3g"}]}],"baserproject\/basercms":[{"advisoryId":"PKSA-hd1x-n8tw-4v66","packageName":"baserproject\/basercms","remoteId":"GHSA-677c-xv24-crgx","title":"baserCMS is Vulnerable to Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-677c-xv24-crgx","cve":"CVE-2026-32734","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:52:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-677c-xv24-crgx"}]},{"advisoryId":"PKSA-kcyg-5jhp-1x3h","packageName":"baserproject\/basercms","remoteId":"GHSA-jmq3-x8q7-j9qm","title":"baserCMS has a cross-site scripting vulnerability in blog posts","link":"https:\/\/github.com\/advisories\/GHSA-jmq3-x8q7-j9qm","cve":"CVE-2026-30879","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jmq3-x8q7-j9qm"}]},{"advisoryId":"PKSA-9wbk-k4bx-zvqq","packageName":"baserproject\/basercms","remoteId":"GHSA-6hpg-8rx3-cwgv","title":"baserCMS has OS command injection vulnerability in installer","link":"https:\/\/github.com\/advisories\/GHSA-6hpg-8rx3-cwgv","cve":"CVE-2026-30880","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:43:31","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-6hpg-8rx3-cwgv"}]},{"advisoryId":"PKSA-6jcy-61hj-18tr","packageName":"baserproject\/basercms","remoteId":"GHSA-c5c6-37vq-pjcq","title":"baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API","link":"https:\/\/github.com\/advisories\/GHSA-c5c6-37vq-pjcq","cve":"CVE-2026-30940","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:47:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c5c6-37vq-pjcq"}]},{"advisoryId":"PKSA-1768-n8q1-3816","packageName":"baserproject\/basercms","remoteId":"GHSA-vh89-rjph-2g7p","title":"baserCMS has an SQL injection vulnerability in its blog post functionality","link":"https:\/\/github.com\/advisories\/GHSA-vh89-rjph-2g7p","cve":"CVE-2026-27697","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vh89-rjph-2g7p"}]},{"advisoryId":"PKSA-mr15-f3n3-4vy5","packageName":"baserproject\/basercms","remoteId":"GHSA-m9g7-rgfc-jcm7","title":"baserCMS Update Functionality Vulnerable to OS Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-m9g7-rgfc-jcm7","cve":"CVE-2026-30877","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:35:47","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-m9g7-rgfc-jcm7"}]},{"advisoryId":"PKSA-ztxq-vhtb-jhvy","packageName":"baserproject\/basercms","remoteId":"GHSA-8cr7-r8qw-gp3c","title":"baserCMS has Mail Form Acceptance Bypass via Public API","link":"https:\/\/github.com\/advisories\/GHSA-8cr7-r8qw-gp3c","cve":"CVE-2026-30878","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:36:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8cr7-r8qw-gp3c"}]},{"advisoryId":"PKSA-mrz2-4hdf-297k","packageName":"baserproject\/basercms","remoteId":"GHSA-hv78-cwp4-8r7r","title":"baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-hv78-cwp4-8r7r","cve":"CVE-2025-32957","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:22:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hv78-cwp4-8r7r"}]},{"advisoryId":"PKSA-xyh3-vpd8-cdnh","packageName":"baserproject\/basercms","remoteId":"GHSA-qxmc-6f24-g86g","title":"baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-qxmc-6f24-g86g","cve":"CVE-2026-21861","affectedVersions":"\u003C=5.2.2","source":"GitHub","reportedAt":"2026-03-31 22:27:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-qxmc-6f24-g86g"}]}],"sulu\/sulu":[{"advisoryId":"PKSA-s8fv-tzzv-5y3k","packageName":"sulu\/sulu","remoteId":"GHSA-6h7h-m7p5-hjqp","title":"Sulu checks fix permissions for subentities endpoints","link":"https:\/\/github.com\/advisories\/GHSA-6h7h-m7p5-hjqp","cve":"CVE-2026-34372","affectedVersions":"\u003E=3.0.0,\u003C3.0.5|\u003E=1.0.0,\u003C2.6.22","source":"GitHub","reportedAt":"2026-03-30 18:04:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6h7h-m7p5-hjqp"}]}]}}