{"advisories":{"rhukster\/dom-sanitizer":[{"advisoryId":"PKSA-x5pq-tgg3-vhtm","packageName":"rhukster\/dom-sanitizer","remoteId":"GHSA-93vf-569f-22cq","title":"rhukster\/dom-sanitizer: SVG \u003Cstyle\u003E tag allows CSS injection via unfiltered url() and @import directives","link":"https:\/\/github.com\/advisories\/GHSA-93vf-569f-22cq","cve":null,"affectedVersions":"\u003C1.0.10","source":"GitHub","reportedAt":"2026-04-10 21:08:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93vf-569f-22cq"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53|\u003C1.0.28","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]}],"redaxo\/source":[{"advisoryId":"PKSA-4w67-7bxw-yj96","packageName":"redaxo\/source","remoteId":"GHSA-m662-8jrj-cw6v","title":"REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-m662-8jrj-cw6v","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-m662-8jrj-cw6v"}]},{"advisoryId":"PKSA-ps7n-211c-nz3j","packageName":"redaxo\/source","remoteId":"GHSA-xq4j-g85q-wf97","title":"REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-xq4j-g85q-wf97","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xq4j-g85q-wf97"}]}],"kantorge\/yaffa":[{"advisoryId":"PKSA-bprf-j9w1-t7bq","packageName":"kantorge\/yaffa","remoteId":"GHSA-pq95-94c9-j987","title":"yaffa vulnerable to Cross Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-pq95-94c9-j987","cve":"CVE-2025-70844","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-04-07 18:31:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq95-94c9-j987"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-f178-s5q3-rpz6","packageName":"wwbn\/avideo","remoteId":"GHSA-687q-32c6-8x68","title":"AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-687q-32c6-8x68","cve":"CVE-2026-33478","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:43:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-687q-32c6-8x68"}]},{"advisoryId":"PKSA-1dhf-r34w-p2f7","packageName":"wwbn\/avideo","remoteId":"GHSA-mmw7-wq3c-wf9p","title":"WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php","link":"https:\/\/github.com\/advisories\/GHSA-mmw7-wq3c-wf9p","cve":"CVE-2026-39366","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mmw7-wq3c-wf9p"}]},{"advisoryId":"PKSA-zd55-pq2p-fmtz","packageName":"wwbn\/avideo","remoteId":"GHSA-rqp3-gf5h-mrqx","title":"WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page","link":"https:\/\/github.com\/advisories\/GHSA-rqp3-gf5h-mrqx","cve":"CVE-2026-39367","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rqp3-gf5h-mrqx"}]},{"advisoryId":"PKSA-9dyr-jdcn-mr53","packageName":"wwbn\/avideo","remoteId":"GHSA-q4x6-6mm2-crg9","title":"WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services","link":"https:\/\/github.com\/advisories\/GHSA-q4x6-6mm2-crg9","cve":"CVE-2026-39368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q4x6-6mm2-crg9"}]},{"advisoryId":"PKSA-jrf5-73b5-1wm8","packageName":"wwbn\/avideo","remoteId":"GHSA-f4f9-627c-jh33","title":"WWBN AVideo\u0027s GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs","link":"https:\/\/github.com\/advisories\/GHSA-f4f9-627c-jh33","cve":"CVE-2026-39369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f4f9-627c-jh33"}]},{"advisoryId":"PKSA-k95w-1pmg-ryfd","packageName":"wwbn\/avideo","remoteId":"GHSA-cmcr-q4jf-p6q9","title":"WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)","link":"https:\/\/github.com\/advisories\/GHSA-cmcr-q4jf-p6q9","cve":"CVE-2026-39370","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cmcr-q4jf-p6q9"}]},{"advisoryId":"PKSA-v2fv-f7cj-pvmk","packageName":"wwbn\/avideo","remoteId":"GHSA-3v7m-qg4x-58h9","title":"AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php","link":"https:\/\/github.com\/advisories\/GHSA-3v7m-qg4x-58h9","cve":"CVE-2026-35448","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:15:37","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3v7m-qg4x-58h9"}]},{"advisoryId":"PKSA-8k5g-7b6v-dmzw","packageName":"wwbn\/avideo","remoteId":"GHSA-hg8q-8wqr-35xx","title":"AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install\/test.php","link":"https:\/\/github.com\/advisories\/GHSA-hg8q-8wqr-35xx","cve":"CVE-2026-35449","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:16:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg8q-8wqr-35xx"}]},{"advisoryId":"PKSA-yv5c-84v4-5kzs","packageName":"wwbn\/avideo","remoteId":"GHSA-2vg4-rrx4-qcpq","title":"AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php","link":"https:\/\/github.com\/advisories\/GHSA-2vg4-rrx4-qcpq","cve":"CVE-2026-35450","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:16:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-2vg4-rrx4-qcpq"}]},{"advisoryId":"PKSA-8d75-pkrm-ryk2","packageName":"wwbn\/avideo","remoteId":"GHSA-99j6-hj87-6fcf","title":"AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php","link":"https:\/\/github.com\/advisories\/GHSA-99j6-hj87-6fcf","cve":"CVE-2026-35452","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-04 06:17:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-99j6-hj87-6fcf"}]},{"advisoryId":"PKSA-6czf-bc7p-h4k6","packageName":"wwbn\/avideo","remoteId":"GHSA-4q27-4rrq-fx95","title":"AVideo: CSRF on Player Skin Configuration via admin\/playerUpdate.json.php","link":"https:\/\/github.com\/advisories\/GHSA-4q27-4rrq-fx95","cve":"CVE-2026-35181","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4q27-4rrq-fx95"}]},{"advisoryId":"PKSA-9kdr-v9xz-q97d","packageName":"wwbn\/avideo","remoteId":"GHSA-x9w5-xccw-5h9w","title":"AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php","link":"https:\/\/github.com\/advisories\/GHSA-x9w5-xccw-5h9w","cve":"CVE-2026-35179","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-03 23:33:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x9w5-xccw-5h9w"}]},{"advisoryId":"PKSA-37q2-fmsd-htgf","packageName":"wwbn\/avideo","remoteId":"GHSA-f359-r3pv-2phf","title":"AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f359-r3pv-2phf","cve":"CVE-2026-33766","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:10:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f359-r3pv-2phf"}]}],"laravel\/passport":[{"advisoryId":"PKSA-wc55-9qj2-7v4h","packageName":"laravel\/passport","remoteId":"GHSA-349c-2h2f-mxf6","title":"Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens","link":"https:\/\/github.com\/advisories\/GHSA-349c-2h2f-mxf6","cve":null,"affectedVersions":"\u003C13.7.1","source":"GitHub","reportedAt":"2026-04-08 19:57:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-349c-2h2f-mxf6"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-qjrw-zc8d-74p2","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-9rxp-f27p-wv3h","title":"CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files","link":"https:\/\/github.com\/advisories\/GHSA-9rxp-f27p-wv3h","cve":"CVE-2026-39389","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rxp-f27p-wv3h"}]},{"advisoryId":"PKSA-znp8-d94g-vhxv","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x3hr-cp7x-44r2","title":"CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting","link":"https:\/\/github.com\/advisories\/GHSA-x3hr-cp7x-44r2","cve":"CVE-2026-39390","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x3hr-cp7x-44r2"}]},{"advisoryId":"PKSA-v96y-q2b3-cqc5","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-7cm9-v848-cfh2","title":"CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List","link":"https:\/\/github.com\/advisories\/GHSA-7cm9-v848-cfh2","cve":"CVE-2026-39391","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cm9-v848-cfh2"}]},{"advisoryId":"PKSA-9pcd-vkjt-q5hq","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fjpj-6qcq-6pw2","title":"CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-fjpj-6qcq-6pw2","cve":"CVE-2026-39392","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fjpj-6qcq-6pw2"}]},{"advisoryId":"PKSA-1wjp-gt44-q5bg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8rh5-4mvx-xj7j","title":"CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass","link":"https:\/\/github.com\/advisories\/GHSA-8rh5-4mvx-xj7j","cve":"CVE-2026-39393","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8rh5-4mvx-xj7j"}]},{"advisoryId":"PKSA-rh74-dqx1-j9wm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vfhx-5459-qhqh","title":"CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller","link":"https:\/\/github.com\/advisories\/GHSA-vfhx-5459-qhqh","cve":"CVE-2026-39394","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:16:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfhx-5459-qhqh"}]},{"advisoryId":"PKSA-2zsh-chw8-v8ty","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-5ghq-42rg-769x","title":"CI4MS: Company Information Public-Facing Page Full Platform Compromise \u0026 Full Account Takeover for All Roles \u0026 Privilege-Escalation via System Settings Company Information Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-5ghq-42rg-769x","cve":"CVE-2026-35035","affectedVersions":"\u003C=0.31.1.0","source":"GitHub","reportedAt":"2026-04-06 17:53:02","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-5ghq-42rg-769x"}]},{"advisoryId":"PKSA-m42v-jjr9-d9jw","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vr2g-rhm5-q4jr","title":"CI4MS: Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-vr2g-rhm5-q4jr","cve":"CVE-2026-34989","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-03 04:00:57","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vr2g-rhm5-q4jr"}]}],"feehi\/cms":[{"advisoryId":"PKSA-csfn-tqkm-331b","packageName":"feehi\/cms","remoteId":"GHSA-cvjh-88c8-2jjx","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-cvjh-88c8-2jjx","cve":"CVE-2026-31351","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvjh-88c8-2jjx"}]},{"advisoryId":"PKSA-mqjt-q7xt-ffry","packageName":"feehi\/cms","remoteId":"GHSA-hqjc-wfvx-x2fv","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module","link":"https:\/\/github.com\/advisories\/GHSA-hqjc-wfvx-x2fv","cve":"CVE-2026-31352","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqjc-wfvx-x2fv"}]},{"advisoryId":"PKSA-ws91-wc7w-vwjs","packageName":"feehi\/cms","remoteId":"GHSA-664p-j3q6-p843","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module","link":"https:\/\/github.com\/advisories\/GHSA-664p-j3q6-p843","cve":"CVE-2026-31353","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-664p-j3q6-p843"}]},{"advisoryId":"PKSA-rwph-3mr4-xjw2","packageName":"feehi\/cms","remoteId":"GHSA-xqm9-6qmm-xrqh","title":"Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module","link":"https:\/\/github.com\/advisories\/GHSA-xqm9-6qmm-xrqh","cve":"CVE-2026-31354","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xqm9-6qmm-xrqh"}]},{"advisoryId":"PKSA-tgmx-kn2c-zmk2","packageName":"feehi\/cms","remoteId":"GHSA-cgxr-v74v-g9mm","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter","link":"https:\/\/github.com\/advisories\/GHSA-cgxr-v74v-g9mm","cve":"CVE-2026-31350","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cgxr-v74v-g9mm"}]},{"advisoryId":"PKSA-ssrk-53xg-dbbn","packageName":"feehi\/cms","remoteId":"GHSA-hj9c-p59c-vqph","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-hj9c-p59c-vqph","cve":"CVE-2026-31313","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hj9c-p59c-vqph"}]}],"pocketmine\/pocketmine-mp":[{"advisoryId":"PKSA-h4z5-fb6q-736p","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-h6rj-3m53-887h","title":"PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket","link":"https:\/\/github.com\/advisories\/GHSA-h6rj-3m53-887h","cve":null,"affectedVersions":"\u003C5.41.1","source":"GitHub","reportedAt":"2026-04-06 22:54:03","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-h6rj-3m53-887h"}]},{"advisoryId":"PKSA-cnjv-js4w-1xcs","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-788v-5pfp-93ff","title":"PocketMine-MP: JSON decoding of unlimited size large arrays\/objects in ModalFormResponse Handling","link":"https:\/\/github.com\/advisories\/GHSA-788v-5pfp-93ff","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-788v-5pfp-93ff"}]},{"advisoryId":"PKSA-yw3m-b28c-y6hc","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-7hmv-4j2j-pp6f","title":"PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`","link":"https:\/\/github.com\/advisories\/GHSA-7hmv-4j2j-pp6f","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7hmv-4j2j-pp6f"}]},{"advisoryId":"PKSA-t7y4-spmt-39ct","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-f9jp-856v-8642","title":"PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state","link":"https:\/\/github.com\/advisories\/GHSA-f9jp-856v-8642","cve":null,"affectedVersions":"\u003C5.39.2","source":"GitHub","reportedAt":"2026-04-06 22:54:14","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-f9jp-856v-8642"}]}],"roundcube\/roundcubemail":[{"advisoryId":"PKSA-wjqw-j5qy-sdfr","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-rxj3-rrwm-pj4r","title":"Roundcube Webmail: Unsafe deserialization in the redis\/memcache session handler","link":"https:\/\/github.com\/advisories\/GHSA-rxj3-rrwm-pj4r","cve":"CVE-2026-35537","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rxj3-rrwm-pj4r"}]},{"advisoryId":"PKSA-764m-m66v-9t4g","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-8jr8-v43g-5c57","title":"Roundcube Webmail: Unsanitized IMAP SEARCH command arguments","link":"https:\/\/github.com\/advisories\/GHSA-8jr8-v43g-5c57","cve":"CVE-2026-35538","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-8jr8-v43g-5c57"}]},{"advisoryId":"PKSA-3z5p-dc2d-4drb","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-x4q5-8j5g-hpjc","title":"Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode","link":"https:\/\/github.com\/advisories\/GHSA-x4q5-8j5g-hpjc","cve":"CVE-2026-35539","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x4q5-8j5g-hpjc"}]},{"advisoryId":"PKSA-vsf6-6r3q-jc1x","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-vxg2-hhgr-37fx","title":"Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages","link":"https:\/\/github.com\/advisories\/GHSA-vxg2-hhgr-37fx","cve":"CVE-2026-35540","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vxg2-hhgr-37fx"}]},{"advisoryId":"PKSA-5v34-b81b-ng2h","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-46pv-mj2g-93gh","title":"Roundcube Webmail: Incorrect password comparison in the password plugin","link":"https:\/\/github.com\/advisories\/GHSA-46pv-mj2g-93gh","cve":"CVE-2026-35541","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-46pv-mj2g-93gh"}]},{"advisoryId":"PKSA-kj9x-s73h-chn8","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-5hf6-crg4-fg59","title":"Roundcube: Bypass of remote image blocking via crafted BODY background attribute","link":"https:\/\/github.com\/advisories\/GHSA-5hf6-crg4-fg59","cve":"CVE-2026-35542","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hf6-crg4-fg59"}]},{"advisoryId":"PKSA-qdpg-77hy-3x5t","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-j2g6-8rvg-7mf6","title":"Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message","link":"https:\/\/github.com\/advisories\/GHSA-j2g6-8rvg-7mf6","cve":"CVE-2026-35543","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j2g6-8rvg-7mf6"}]},{"advisoryId":"PKSA-wvxn-8qzx-v8n9","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-xpqh-grpw-4xmg","title":"Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages","link":"https:\/\/github.com\/advisories\/GHSA-xpqh-grpw-4xmg","cve":"CVE-2026-35544","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xpqh-grpw-4xmg"}]},{"advisoryId":"PKSA-hnx5-g7mc-vpff","packageName":"roundcube\/roundcubemail","remoteId":"GHSA-w846-74jr-76cv","title":"Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message","link":"https:\/\/github.com\/advisories\/GHSA-w846-74jr-76cv","cve":"CVE-2026-35545","affectedVersions":"\u003E=1.7-beta,\u003C1.7-rc5","source":"GitHub","reportedAt":"2026-04-03 06:31:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w846-74jr-76cv"}]}],"krayin\/laravel-crm":[{"advisoryId":"PKSA-9rzv-szxy-ckw5","packageName":"krayin\/laravel-crm","remoteId":"GHSA-9m2v-hc5g-5jpv","title":"Krayin CRM is vulnerable to Cross-site Scripting (XSS)","link":"https:\/\/github.com\/advisories\/GHSA-9m2v-hc5g-5jpv","cve":"CVE-2026-5370","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-02 18:31:39","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-9m2v-hc5g-5jpv"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-398m-bjsp-p21n","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-mmm5-3g4x-qw39","title":"OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals","link":"https:\/\/github.com\/advisories\/GHSA-mmm5-3g4x-qw39","cve":"CVE-2026-35470","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 21:57:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mmm5-3g4x-qw39"}]},{"advisoryId":"PKSA-dx7q-hp3f-cn12","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-2fr7-cc4f-wh98","title":"OpenSTAManager: SQL Injection via Aggiornamenti Module","link":"https:\/\/github.com\/advisories\/GHSA-2fr7-cc4f-wh98","cve":"CVE-2026-35168","affectedVersions":"\u003C=2.10.1","source":"GitHub","reportedAt":"2026-04-03 03:47:37","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2fr7-cc4f-wh98"}]}],"auth0\/login":[{"advisoryId":"PKSA-9fpd-p7cq-9hfg","packageName":"auth0\/login","remoteId":"GHSA-fmg6-246m-9g2v","title":"Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-fmg6-246m-9g2v","cve":null,"affectedVersions":"\u003E=7.0.0,\u003C=7.20.0","source":"GitHub","reportedAt":"2026-04-03 03:41:04","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fmg6-246m-9g2v"}]}],"auth0\/wordpress":[{"advisoryId":"PKSA-rbsn-2z23-mspc","packageName":"auth0\/wordpress","remoteId":"GHSA-vfpx-q664-h93m","title":"Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-vfpx-q664-h93m","cve":null,"affectedVersions":"\u003E=5.0.0-BETA0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-03 03:43:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfpx-q664-h93m"}]}],"auth0\/symfony":[{"advisoryId":"PKSA-kmxg-njz7-dx5f","packageName":"auth0\/symfony","remoteId":"GHSA-ghc5-95c2-vwcv","title":"Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption","link":"https:\/\/github.com\/advisories\/GHSA-ghc5-95c2-vwcv","cve":null,"affectedVersions":"\u003E=5.0.0,\u003C=5.7.0","source":"GitHub","reportedAt":"2026-04-03 03:44:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghc5-95c2-vwcv"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistent Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}]}}