{"advisories":{"craftcms\/commerce":[{"advisoryId":"PKSA-tnb8-k5sw-yxmk","packageName":"craftcms\/commerce","remoteId":"GHSA-3vxg-x5f8-f5qf","title":"Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments","link":"https:\/\/github.com\/advisories\/GHSA-3vxg-x5f8-f5qf","cve":"CVE-2026-32270","affectedVersions":"\u003E=4.0.0,\u003C=4.10.2|\u003E=5.0.0,\u003C=5.5.4","source":"GitHub","reportedAt":"2026-04-14 01:01:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3vxg-x5f8-f5qf"}]},{"advisoryId":"PKSA-nhg1-858f-sgm2","packageName":"craftcms\/commerce","remoteId":"GHSA-r54v-qq87-px5r","title":"Craft Commerce hasVariant\/hasProduct Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-r54v-qq87-px5r","cve":"CVE-2026-32272","affectedVersions":"\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-04-14 00:06:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r54v-qq87-px5r"}]},{"advisoryId":"PKSA-chpm-5f12-rdnt","packageName":"craftcms\/commerce","remoteId":"GHSA-875v-7m49-8x88","title":"Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget","link":"https:\/\/github.com\/advisories\/GHSA-875v-7m49-8x88","cve":"CVE-2026-32271","affectedVersions":"\u003E=5.0.0,\u003C=5.5.4|\u003E=4.0.0,\u003C=4.10.2","source":"GitHub","reportedAt":"2026-04-14 00:07:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-875v-7m49-8x88"}]}],"webonyx\/graphql-php":[{"advisoryId":"PKSA-7h5p-prw9-w5nr","packageName":"webonyx\/graphql-php","remoteId":"GHSA-68jq-c3rv-pcrr","title":"graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation","link":"https:\/\/github.com\/advisories\/GHSA-68jq-c3rv-pcrr","cve":null,"affectedVersions":"\u003C=15.31.4","source":"GitHub","reportedAt":"2026-04-14 01:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68jq-c3rv-pcrr"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-7mgs-q4t6-z3xx","packageName":"kimai\/kimai","remoteId":"GHSA-3jp4-mhh4-gcgr","title":"Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler","link":"https:\/\/github.com\/advisories\/GHSA-3jp4-mhh4-gcgr","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3jp4-mhh4-gcgr"}]},{"advisoryId":"PKSA-k88g-1gqq-x96c","packageName":"kimai\/kimai","remoteId":"GHSA-rh42-6rj2-xwmc","title":"Kimai leaks API Token Hash via Invoice Twig Template","link":"https:\/\/github.com\/advisories\/GHSA-rh42-6rj2-xwmc","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rh42-6rj2-xwmc"}]}],"rhukster\/dom-sanitizer":[{"advisoryId":"PKSA-x5pq-tgg3-vhtm","packageName":"rhukster\/dom-sanitizer","remoteId":"GHSA-93vf-569f-22cq","title":"rhukster\/dom-sanitizer: SVG \u003Cstyle\u003E tag allows CSS injection via unfiltered url() and @import directives","link":"https:\/\/github.com\/advisories\/GHSA-93vf-569f-22cq","cve":null,"affectedVersions":"\u003C1.0.10","source":"GitHub","reportedAt":"2026-04-10 21:08:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93vf-569f-22cq"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53|\u003C1.0.28","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]}],"redaxo\/source":[{"advisoryId":"PKSA-4w67-7bxw-yj96","packageName":"redaxo\/source","remoteId":"GHSA-m662-8jrj-cw6v","title":"REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-m662-8jrj-cw6v","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-m662-8jrj-cw6v"}]},{"advisoryId":"PKSA-ps7n-211c-nz3j","packageName":"redaxo\/source","remoteId":"GHSA-xq4j-g85q-wf97","title":"REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-xq4j-g85q-wf97","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xq4j-g85q-wf97"}]}],"kantorge\/yaffa":[{"advisoryId":"PKSA-bprf-j9w1-t7bq","packageName":"kantorge\/yaffa","remoteId":"GHSA-pq95-94c9-j987","title":"yaffa vulnerable to Cross Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-pq95-94c9-j987","cve":"CVE-2025-70844","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-04-07 18:31:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq95-94c9-j987"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-f178-s5q3-rpz6","packageName":"wwbn\/avideo","remoteId":"GHSA-687q-32c6-8x68","title":"AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-687q-32c6-8x68","cve":"CVE-2026-33478","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-20 20:43:50","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-687q-32c6-8x68"}]},{"advisoryId":"PKSA-1dhf-r34w-p2f7","packageName":"wwbn\/avideo","remoteId":"GHSA-mmw7-wq3c-wf9p","title":"WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php","link":"https:\/\/github.com\/advisories\/GHSA-mmw7-wq3c-wf9p","cve":"CVE-2026-39366","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mmw7-wq3c-wf9p"}]},{"advisoryId":"PKSA-zd55-pq2p-fmtz","packageName":"wwbn\/avideo","remoteId":"GHSA-rqp3-gf5h-mrqx","title":"WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page","link":"https:\/\/github.com\/advisories\/GHSA-rqp3-gf5h-mrqx","cve":"CVE-2026-39367","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rqp3-gf5h-mrqx"}]},{"advisoryId":"PKSA-9dyr-jdcn-mr53","packageName":"wwbn\/avideo","remoteId":"GHSA-q4x6-6mm2-crg9","title":"WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services","link":"https:\/\/github.com\/advisories\/GHSA-q4x6-6mm2-crg9","cve":"CVE-2026-39368","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q4x6-6mm2-crg9"}]},{"advisoryId":"PKSA-jrf5-73b5-1wm8","packageName":"wwbn\/avideo","remoteId":"GHSA-f4f9-627c-jh33","title":"WWBN AVideo\u0027s GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs","link":"https:\/\/github.com\/advisories\/GHSA-f4f9-627c-jh33","cve":"CVE-2026-39369","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f4f9-627c-jh33"}]},{"advisoryId":"PKSA-k95w-1pmg-ryfd","packageName":"wwbn\/avideo","remoteId":"GHSA-cmcr-q4jf-p6q9","title":"WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)","link":"https:\/\/github.com\/advisories\/GHSA-cmcr-q4jf-p6q9","cve":"CVE-2026-39370","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-04-08 00:08:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-cmcr-q4jf-p6q9"}]},{"advisoryId":"PKSA-37q2-fmsd-htgf","packageName":"wwbn\/avideo","remoteId":"GHSA-f359-r3pv-2phf","title":"AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints","link":"https:\/\/github.com\/advisories\/GHSA-f359-r3pv-2phf","cve":"CVE-2026-33766","affectedVersions":"\u003C=26.0","source":"GitHub","reportedAt":"2026-03-26 18:10:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f359-r3pv-2phf"}]},{"advisoryId":"PKSA-1msk-y5kh-hb4p","packageName":"wwbn\/avideo","remoteId":"GHSA-v467-g7g7-hhfh","title":"AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation","link":"https:\/\/github.com\/advisories\/GHSA-v467-g7g7-hhfh","cve":"CVE-2026-33237","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v467-g7g7-hhfh"}]},{"advisoryId":"PKSA-484r-cdwt-2gm4","packageName":"wwbn\/avideo","remoteId":"GHSA-4wmm-6qxj-fpj4","title":"AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-4wmm-6qxj-fpj4","cve":"CVE-2026-33238","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wmm-6qxj-fpj4"}]}],"laravel\/passport":[{"advisoryId":"PKSA-wc55-9qj2-7v4h","packageName":"laravel\/passport","remoteId":"GHSA-349c-2h2f-mxf6","title":"Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens","link":"https:\/\/github.com\/advisories\/GHSA-349c-2h2f-mxf6","cve":"CVE-2026-39976","affectedVersions":"\u003E=13.0.0,\u003C13.7.1","source":"GitHub","reportedAt":"2026-04-08 19:57:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-349c-2h2f-mxf6"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-qjrw-zc8d-74p2","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-9rxp-f27p-wv3h","title":"CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files","link":"https:\/\/github.com\/advisories\/GHSA-9rxp-f27p-wv3h","cve":"CVE-2026-39389","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9rxp-f27p-wv3h"}]},{"advisoryId":"PKSA-znp8-d94g-vhxv","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-x3hr-cp7x-44r2","title":"CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting","link":"https:\/\/github.com\/advisories\/GHSA-x3hr-cp7x-44r2","cve":"CVE-2026-39390","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x3hr-cp7x-44r2"}]},{"advisoryId":"PKSA-v96y-q2b3-cqc5","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-7cm9-v848-cfh2","title":"CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List","link":"https:\/\/github.com\/advisories\/GHSA-7cm9-v848-cfh2","cve":"CVE-2026-39391","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cm9-v848-cfh2"}]},{"advisoryId":"PKSA-9pcd-vkjt-q5hq","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fjpj-6qcq-6pw2","title":"CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-fjpj-6qcq-6pw2","cve":"CVE-2026-39392","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fjpj-6qcq-6pw2"}]},{"advisoryId":"PKSA-1wjp-gt44-q5bg","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-8rh5-4mvx-xj7j","title":"CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass","link":"https:\/\/github.com\/advisories\/GHSA-8rh5-4mvx-xj7j","cve":"CVE-2026-39393","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:15:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8rh5-4mvx-xj7j"}]},{"advisoryId":"PKSA-rh74-dqx1-j9wm","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vfhx-5459-qhqh","title":"CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller","link":"https:\/\/github.com\/advisories\/GHSA-vfhx-5459-qhqh","cve":"CVE-2026-39394","affectedVersions":"\u003C=0.31.3.0","source":"GitHub","reportedAt":"2026-04-08 19:16:12","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vfhx-5459-qhqh"}]}],"feehi\/cms":[{"advisoryId":"PKSA-csfn-tqkm-331b","packageName":"feehi\/cms","remoteId":"GHSA-cvjh-88c8-2jjx","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-cvjh-88c8-2jjx","cve":"CVE-2026-31351","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cvjh-88c8-2jjx"}]},{"advisoryId":"PKSA-mqjt-q7xt-ffry","packageName":"feehi\/cms","remoteId":"GHSA-hqjc-wfvx-x2fv","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module","link":"https:\/\/github.com\/advisories\/GHSA-hqjc-wfvx-x2fv","cve":"CVE-2026-31352","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hqjc-wfvx-x2fv"}]},{"advisoryId":"PKSA-ws91-wc7w-vwjs","packageName":"feehi\/cms","remoteId":"GHSA-664p-j3q6-p843","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module","link":"https:\/\/github.com\/advisories\/GHSA-664p-j3q6-p843","cve":"CVE-2026-31353","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-664p-j3q6-p843"}]},{"advisoryId":"PKSA-rwph-3mr4-xjw2","packageName":"feehi\/cms","remoteId":"GHSA-xqm9-6qmm-xrqh","title":"Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module","link":"https:\/\/github.com\/advisories\/GHSA-xqm9-6qmm-xrqh","cve":"CVE-2026-31354","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xqm9-6qmm-xrqh"}]},{"advisoryId":"PKSA-tgmx-kn2c-zmk2","packageName":"feehi\/cms","remoteId":"GHSA-cgxr-v74v-g9mm","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter","link":"https:\/\/github.com\/advisories\/GHSA-cgxr-v74v-g9mm","cve":"CVE-2026-31350","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-cgxr-v74v-g9mm"}]},{"advisoryId":"PKSA-ssrk-53xg-dbbn","packageName":"feehi\/cms","remoteId":"GHSA-hj9c-p59c-vqph","title":"Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation\/editing module","link":"https:\/\/github.com\/advisories\/GHSA-hj9c-p59c-vqph","cve":"CVE-2026-31313","affectedVersions":"=2.1.1","source":"GitHub","reportedAt":"2026-04-06 18:33:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hj9c-p59c-vqph"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistent Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}],"components\/jquery":[{"advisoryId":"PKSA-jvpv-pcrn-dfzc","packageName":"components\/jquery","remoteId":"GHSA-gxr4-xjj5-5px2","title":"Potential XSS vulnerability in jQuery","link":"https:\/\/github.com\/advisories\/GHSA-gxr4-xjj5-5px2","cve":"CVE-2020-11022","affectedVersions":"\u003E=1.12.0,\u003C3.5.0","source":"GitHub","reportedAt":"2020-04-29 22:18:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gxr4-xjj5-5px2"}]}]}}