{"advisories":{"goodoneuz\/pay-uz":[{"advisoryId":"PKSA-hc2w-9ctz-542g","packageName":"goodoneuz\/pay-uz","remoteId":"GHSA-m5wg-cjgh-223j","title":"goodoneuz\/pay-uz: the \/payment\/api\/editable\/update endpoint overwrites existing PHP payment hook files","link":"https:\/\/github.com\/advisories\/GHSA-m5wg-cjgh-223j","cve":"CVE-2026-31843","affectedVersions":"\u003C=2.2.24","source":"GitHub","reportedAt":"2026-04-16 15:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-m5wg-cjgh-223j"}]}],"processwire\/processwire":[{"advisoryId":"PKSA-m19p-x1h4-xw57","packageName":"processwire\/processwire","remoteId":"GHSA-gmwr-9j4p-96vm","title":"ProcessWire: server-side request forgery vulnerability in the admin panel\u0027s \u0027Add Module From URL\u0027 feature","link":"https:\/\/github.com\/advisories\/GHSA-gmwr-9j4p-96vm","cve":"CVE-2026-40500","affectedVersions":"\u003C=3.0.255","source":"GitHub","reportedAt":"2026-04-16 00:54:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gmwr-9j4p-96vm"}]}],"joedolson\/my-calendar":[{"advisoryId":"PKSA-zws9-hgnd-t1ht","packageName":"joedolson\/my-calendar","remoteId":"GHSA-2mvx-f5qm-v2ch","title":"Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar","link":"https:\/\/github.com\/advisories\/GHSA-2mvx-f5qm-v2ch","cve":"CVE-2026-40308","affectedVersions":"\u003C3.7.7","source":"GitHub","reportedAt":"2026-04-16 21:34:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2mvx-f5qm-v2ch"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-z3t4-4xbz-b3c9","packageName":"wwbn\/avideo","remoteId":"GHSA-xr6f-h4x7-r6qp","title":"WWBN AVideo: RCE cause by clonesite plugin","link":"https:\/\/github.com\/advisories\/GHSA-xr6f-h4x7-r6qp","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-16 21:25:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xr6f-h4x7-r6qp"}]},{"advisoryId":"PKSA-q934-7bnb-4bby","packageName":"wwbn\/avideo","remoteId":"GHSA-5879-4fmr-xwf2","title":"WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-5879-4fmr-xwf2","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:21:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5879-4fmr-xwf2"}]},{"advisoryId":"PKSA-8cks-7g1w-tz19","packageName":"wwbn\/avideo","remoteId":"GHSA-j432-4w3j-3w8j","title":"WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL","link":"https:\/\/github.com\/advisories\/GHSA-j432-4w3j-3w8j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j432-4w3j-3w8j"}]},{"advisoryId":"PKSA-gxyd-jpvf-3ngj","packageName":"wwbn\/avideo","remoteId":"GHSA-8pv3-29pp-pf8f","title":"WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver","link":"https:\/\/github.com\/advisories\/GHSA-8pv3-29pp-pf8f","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8pv3-29pp-pf8f"}]},{"advisoryId":"PKSA-pt2z-fxr4-fvmc","packageName":"wwbn\/avideo","remoteId":"GHSA-m63r-m9jh-3vc6","title":"WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters","link":"https:\/\/github.com\/advisories\/GHSA-m63r-m9jh-3vc6","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:23:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m63r-m9jh-3vc6"}]},{"advisoryId":"PKSA-gvmz-qdx4-njzh","packageName":"wwbn\/avideo","remoteId":"GHSA-m7r8-6q9j-m2hc","title":"WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS","link":"https:\/\/github.com\/advisories\/GHSA-m7r8-6q9j-m2hc","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:25:28","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m7r8-6q9j-m2hc"}]},{"advisoryId":"PKSA-v7bq-jd15-qdrz","packageName":"wwbn\/avideo","remoteId":"GHSA-pq8p-wc4f-vg7j","title":"WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-pq8p-wc4f-vg7j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:27:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pq8p-wc4f-vg7j"}]},{"advisoryId":"PKSA-nfcd-g6c3-5tff","packageName":"wwbn\/avideo","remoteId":"GHSA-vvfw-4m39-fjqf","title":"WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials","link":"https:\/\/github.com\/advisories\/GHSA-vvfw-4m39-fjqf","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vvfw-4m39-fjqf"}]},{"advisoryId":"PKSA-ttj4-18vr-tsp9","packageName":"wwbn\/avideo","remoteId":"GHSA-ffw8-fwxp-h64w","title":"WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)","link":"https:\/\/github.com\/advisories\/GHSA-ffw8-fwxp-h64w","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffw8-fwxp-h64w"}]},{"advisoryId":"PKSA-k36z-m2m9-7f9w","packageName":"wwbn\/avideo","remoteId":"GHSA-x2pw-9c38-cp2j","title":"WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion","link":"https:\/\/github.com\/advisories\/GHSA-x2pw-9c38-cp2j","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x2pw-9c38-cp2j"}]},{"advisoryId":"PKSA-8nj2-vhcz-7bc5","packageName":"wwbn\/avideo","remoteId":"GHSA-8qm8-g55h-xmqr","title":"WWBN AVideo is missing CSRF protection in objects\/commentDelete.json.php enables mass comment deletion against moderators and content creators","link":"https:\/\/github.com\/advisories\/GHSA-8qm8-g55h-xmqr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8qm8-g55h-xmqr"}]},{"advisoryId":"PKSA-k6wt-ck7m-8514","packageName":"wwbn\/avideo","remoteId":"GHSA-hg7g-56h5-5pqr","title":"CAPTCHA Bypass in WWBN\/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure","link":"https:\/\/github.com\/advisories\/GHSA-hg7g-56h5-5pqr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg7g-56h5-5pqr"}]},{"advisoryId":"PKSA-zgmc-4215-ztzk","packageName":"wwbn\/avideo","remoteId":"GHSA-793q-xgj6-7frp","title":"WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF","link":"https:\/\/github.com\/advisories\/GHSA-793q-xgj6-7frp","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:15:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-793q-xgj6-7frp"}]},{"advisoryId":"PKSA-5c4b-gnfd-8xsq","packageName":"wwbn\/avideo","remoteId":"GHSA-ccq9-r5cw-5hwq","title":"WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-ccq9-r5cw-5hwq","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ccq9-r5cw-5hwq"}]},{"advisoryId":"PKSA-tsyg-vszv-9tkz","packageName":"wwbn\/avideo","remoteId":"GHSA-ff5q-cc22-fgp4","title":"WWBN AVideo has a CORS Origin Reflection Bypass via plugin\/API\/router.php and allowOrigin(true) Exposes Authenticated API Responses","link":"https:\/\/github.com\/advisories\/GHSA-ff5q-cc22-fgp4","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ff5q-cc22-fgp4"}]},{"advisoryId":"PKSA-zr2c-vrf1-x6qy","packageName":"wwbn\/avideo","remoteId":"GHSA-gph2-j4c9-vhhr","title":"WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks","link":"https:\/\/github.com\/advisories\/GHSA-gph2-j4c9-vhhr","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:50:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gph2-j4c9-vhhr"}]},{"advisoryId":"PKSA-2sy8-4q8b-cn2c","packageName":"wwbn\/avideo","remoteId":"GHSA-gpgp-w4x2-h3h7","title":"WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users\u0027 Stream Keys and OAuth Tokens","link":"https:\/\/github.com\/advisories\/GHSA-gpgp-w4x2-h3h7","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gpgp-w4x2-h3h7"}]},{"advisoryId":"PKSA-yc9y-ydj1-h48d","packageName":"wwbn\/avideo","remoteId":"GHSA-52hf-63q4-r926","title":"WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version","link":"https:\/\/github.com\/advisories\/GHSA-52hf-63q4-r926","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:25","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-52hf-63q4-r926"}]},{"advisoryId":"PKSA-mbzn-myxk-vdz9","packageName":"wwbn\/avideo","remoteId":"GHSA-6rc6-p838-686f","title":"WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-6rc6-p838-686f","cve":null,"affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6rc6-p838-686f"}]},{"advisoryId":"PKSA-1msk-y5kh-hb4p","packageName":"wwbn\/avideo","remoteId":"GHSA-v467-g7g7-hhfh","title":"AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation","link":"https:\/\/github.com\/advisories\/GHSA-v467-g7g7-hhfh","cve":"CVE-2026-33237","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v467-g7g7-hhfh"}]},{"advisoryId":"PKSA-484r-cdwt-2gm4","packageName":"wwbn\/avideo","remoteId":"GHSA-4wmm-6qxj-fpj4","title":"AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-4wmm-6qxj-fpj4","cve":"CVE-2026-33238","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wmm-6qxj-fpj4"}]}],"statamic\/cms":[{"advisoryId":"PKSA-yx2m-bjk3-fnky","packageName":"statamic\/cms","remoteId":"GHSA-4jjr-vmv7-wh4w","title":"Statamic: Unsafe method invocation via query value resolution allows data destruction","link":"https:\/\/github.com\/advisories\/GHSA-4jjr-vmv7-wh4w","cve":null,"affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.13.0|\u003C5.73.20","source":"GitHub","reportedAt":"2026-04-16 21:25:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jjr-vmv7-wh4w"}]}],"silverstripe\/assets":[{"advisoryId":"PKSA-tfnf-7k34-fpdv","packageName":"silverstripe\/assets","remoteId":"silverstripe\/assets\/CVE-2026-24749.yaml","title":"CVE-2026-24749 - DBFile permission bypass","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-24749","cve":"CVE-2026-24749","affectedVersions":"\u003E=2.0.0,\u003C2.4.5|\u003E=3.0.0,\u003C3.1.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-16 02:30:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jgcf-rf45-2f8v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/assets\/CVE-2026-24749.yaml"}]}],"krayin\/laravel-crm":[{"advisoryId":"PKSA-y1wv-79ht-f4db","packageName":"krayin\/laravel-crm","remoteId":"GHSA-rm5f-3c25-p4cw","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Controllers\/Lead\/LeadController.php","link":"https:\/\/github.com\/advisories\/GHSA-rm5f-3c25-p4cw","cve":"CVE-2026-38530","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rm5f-3c25-p4cw"}]},{"advisoryId":"PKSA-5xsp-55yb-hdyp","packageName":"krayin\/laravel-crm","remoteId":"GHSA-r8rp-5f55-5j9x","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Settings\/UserController.php","link":"https:\/\/github.com\/advisories\/GHSA-r8rp-5f55-5j9x","cve":"CVE-2026-38529","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r8rp-5f55-5j9x"}]},{"advisoryId":"PKSA-2w9z-jxqd-y35k","packageName":"krayin\/laravel-crm","remoteId":"GHSA-2xx8-j85v-j7wh","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Contact\/Persons\/PersonController.php","link":"https:\/\/github.com\/advisories\/GHSA-2xx8-j85v-j7wh","cve":"CVE-2026-38532","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2xx8-j85v-j7wh"}]},{"advisoryId":"PKSA-gcg3-xvcm-8tz7","packageName":"krayin\/laravel-crm","remoteId":"GHSA-fpx9-9hq8-w2xc","title":"Webkul Krayin CRM has Server-Side Request Forgery (SSRF)","link":"https:\/\/github.com\/advisories\/GHSA-fpx9-9hq8-w2xc","cve":"CVE-2026-38527","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fpx9-9hq8-w2xc"}]}],"khodakhah\/nodcms":[{"advisoryId":"PKSA-j2zd-bc4z-jzrm","packageName":"khodakhah\/nodcms","remoteId":"GHSA-3qcm-pj6q-w4c5","title":"Nodcms contains a cross-site request forgery vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-3qcm-pj6q-w4c5","cve":"CVE-2016-20054","affectedVersions":"\u003C=3.4.1","source":"GitHub","reportedAt":"2026-04-04 21:30:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3qcm-pj6q-w4c5"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-t427-p3m6-gf3c","packageName":"froxlor\/froxlor","remoteId":"GHSA-w59f-67xm-rxx7","title":"Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-w59f-67xm-rxx7","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 01:02:12","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w59f-67xm-rxx7"}]},{"advisoryId":"PKSA-ghdy-xf1y-wsyx","packageName":"froxlor\/froxlor","remoteId":"GHSA-jvx4-xv3m-hrj4","title":"Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()","link":"https:\/\/github.com\/advisories\/GHSA-jvx4-xv3m-hrj4","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:46:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jvx4-xv3m-hrj4"}]},{"advisoryId":"PKSA-mym1-2cj8-f6cp","packageName":"froxlor\/froxlor","remoteId":"GHSA-vmjj-qr7v-pxm6","title":"Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-vmjj-qr7v-pxm6","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vmjj-qr7v-pxm6"}]},{"advisoryId":"PKSA-jy2x-d5vf-ycwz","packageName":"froxlor\/froxlor","remoteId":"GHSA-75h4-c557-j89r","title":"Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron","link":"https:\/\/github.com\/advisories\/GHSA-75h4-c557-j89r","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-75h4-c557-j89r"}]},{"advisoryId":"PKSA-zvbr-5xtx-pwd7","packageName":"froxlor\/froxlor","remoteId":"GHSA-47hf-23pw-3m8c","title":"Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()","link":"https:\/\/github.com\/advisories\/GHSA-47hf-23pw-3m8c","cve":null,"affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-47hf-23pw-3m8c"}]},{"advisoryId":"PKSA-s4pz-z4hm-5n7x","packageName":"froxlor\/froxlor","remoteId":"GHSA-gc9w-cc93-rjv8","title":"Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)","link":"https:\/\/github.com\/advisories\/GHSA-gc9w-cc93-rjv8","cve":null,"affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:50:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gc9w-cc93-rjv8"}]}],"pocketmine\/pocketmine-mp":[{"advisoryId":"PKSA-tnfd-ykdn-862g","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-xp4f-g2cm-rhg7","title":"PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket","link":"https:\/\/github.com\/advisories\/GHSA-xp4f-g2cm-rhg7","cve":null,"affectedVersions":"\u003C5.42.1","source":"GitHub","reportedAt":"2026-04-15 19:43:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xp4f-g2cm-rhg7"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-ws9h-wxv9-tvcq","packageName":"kimai\/kimai","remoteId":"GHSA-g82g-m9vx-vhjg","title":"Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget","link":"https:\/\/github.com\/advisories\/GHSA-g82g-m9vx-vhjg","cve":"CVE-2026-40479","affectedVersions":"\u003C2.53.0","source":"GitHub","reportedAt":"2026-04-15 19:46:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g82g-m9vx-vhjg"}]},{"advisoryId":"PKSA-td5w-h5y4-9w1v","packageName":"kimai\/kimai","remoteId":"GHSA-qh43-xrjm-4ggp","title":"Kimai\u0027s User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate","link":"https:\/\/github.com\/advisories\/GHSA-qh43-xrjm-4ggp","cve":"CVE-2026-40486","affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-15 19:46:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qh43-xrjm-4ggp"}]},{"advisoryId":"PKSA-7mgs-q4t6-z3xx","packageName":"kimai\/kimai","remoteId":"GHSA-3jp4-mhh4-gcgr","title":"Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler","link":"https:\/\/github.com\/advisories\/GHSA-3jp4-mhh4-gcgr","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3jp4-mhh4-gcgr"}]},{"advisoryId":"PKSA-k88g-1gqq-x96c","packageName":"kimai\/kimai","remoteId":"GHSA-rh42-6rj2-xwmc","title":"Kimai leaks API Token Hash via Invoice Twig Template","link":"https:\/\/github.com\/advisories\/GHSA-rh42-6rj2-xwmc","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rh42-6rj2-xwmc"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-dmwd-n76s-m3f9","packageName":"craftcms\/cms","remoteId":"GHSA-jq2f-59pj-p3m3","title":"Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action","link":"https:\/\/github.com\/advisories\/GHSA-jq2f-59pj-p3m3","cve":null,"affectedVersions":"\u003E=5.6.0,\u003C5.9.15","source":"GitHub","reportedAt":"2026-04-14 23:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jq2f-59pj-p3m3"}]},{"advisoryId":"PKSA-wb3t-ts8t-d4cj","packageName":"craftcms\/cms","remoteId":"GHSA-3m9m-24vh-39wx","title":"Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations","link":"https:\/\/github.com\/advisories\/GHSA-3m9m-24vh-39wx","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:35:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3m9m-24vh-39wx"}]},{"advisoryId":"PKSA-ntd3-69q5-4cfy","packageName":"craftcms\/cms","remoteId":"GHSA-95wr-3f2v-v2wh","title":"Craft CMS has a host header injection leading to SSRF via resource-js endpoint","link":"https:\/\/github.com\/advisories\/GHSA-95wr-3f2v-v2wh","cve":null,"affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:36:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-95wr-3f2v-v2wh"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-brrg-b2hn-sb6q","packageName":"librenms\/librenms","remoteId":"GHSA-rp7w-624x-95qv","title":"LibreNMS affected by an authenticated Cross-site Scripting vulnerability on the showconfig page","link":"https:\/\/github.com\/advisories\/GHSA-rp7w-624x-95qv","cve":"CVE-2026-2728","affectedVersions":"\u003C26.3.0","source":"GitHub","reportedAt":"2026-04-13 12:31:15","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rp7w-624x-95qv"}]},{"advisoryId":"PKSA-crbw-6n6w-1qmb","packageName":"librenms\/librenms","remoteId":"GHSA-pr3g-phhr-h8fh","title":"LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write","link":"https:\/\/github.com\/advisories\/GHSA-pr3g-phhr-h8fh","cve":"CVE-2026-6204","affectedVersions":"\u003E=1.48,\u003C26.3.0","source":"GitHub","reportedAt":"2026-03-26 18:04:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr3g-phhr-h8fh"}]}],"s9y\/serendipity":[{"advisoryId":"PKSA-vfgc-2rdq-w256","packageName":"s9y\/serendipity","remoteId":"GHSA-4m6c-649p-f6gf","title":"Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php","link":"https:\/\/github.com\/advisories\/GHSA-4m6c-649p-f6gf","cve":"CVE-2026-39963","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4m6c-649p-f6gf"}]},{"advisoryId":"PKSA-fdbd-416g-v2zm","packageName":"s9y\/serendipity","remoteId":"GHSA-458g-q4fh-mj6r","title":"Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header","link":"https:\/\/github.com\/advisories\/GHSA-458g-q4fh-mj6r","cve":"CVE-2026-39971","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-458g-q4fh-mj6r"}]}],"october\/rain":[{"advisoryId":"PKSA-qst9-2ky5-dhpn","packageName":"october\/rain","remoteId":"GHSA-g6v3-wv4j-x9hg","title":"October Rain has Environment Variable Exfiltration via INI Parser Interpolation","link":"https:\/\/github.com\/advisories\/GHSA-g6v3-wv4j-x9hg","cve":"CVE-2026-25125","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g6v3-wv4j-x9hg"}]},{"advisoryId":"PKSA-22sk-dxft-df3d","packageName":"october\/rain","remoteId":"GHSA-gcqv-f29m-67gr","title":"October Rain has Stored XSS via SVG Filter Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gcqv-f29m-67gr","cve":"CVE-2026-25133","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcqv-f29m-67gr"}]},{"advisoryId":"PKSA-7hg1-vmz2-j7w6","packageName":"october\/rain","remoteId":"GHSA-m5qg-jc75-4jp6","title":"October Rain has a Twig Sandbox Bypass via Collection Methods","link":"https:\/\/github.com\/advisories\/GHSA-m5qg-jc75-4jp6","cve":"CVE-2026-22692","affectedVersions":"\u003C=3.7.12|\u003E=4.0.0,\u003C=4.1.4","source":"GitHub","reportedAt":"2026-04-14 20:02:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5qg-jc75-4jp6"}]}],"october\/system":[{"advisoryId":"PKSA-44b4-zdw9-q1j5","packageName":"october\/system","remoteId":"GHSA-6qmh-j78v-ffp7","title":"October CMS has Stored XSS in Backend Editor Markup Classes","link":"https:\/\/github.com\/advisories\/GHSA-6qmh-j78v-ffp7","cve":"CVE-2026-24906","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qmh-j78v-ffp7"}]},{"advisoryId":"PKSA-57nm-kh7g-ddrg","packageName":"october\/system","remoteId":"GHSA-j4j5-9x6g-rgxc","title":"October CMS has Stored XSS in Event Log Mail Preview","link":"https:\/\/github.com\/advisories\/GHSA-j4j5-9x6g-rgxc","cve":"CVE-2026-24907","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j4j5-9x6g-rgxc"}]}],"composer\/composer":[{"advisoryId":"PKSA-t5r2-p5q9-mtpn","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40261.yaml","title":"Command injection via malicious Perforce source reference\/url","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-gqw4-4w2p-838q","cve":"CVE-2026-40261","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40261.yaml"},{"name":"GitHub","remoteId":"GHSA-gqw4-4w2p-838q"}]},{"advisoryId":"PKSA-6bp1-9hfj-2cgv","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40176.yaml","title":"Command injection via malicious Perforce repository definition","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-wg36-wvj6-r67p","cve":"CVE-2026-40176","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40176.yaml"},{"name":"GitHub","remoteId":"GHSA-wg36-wvj6-r67p"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-tnb8-k5sw-yxmk","packageName":"craftcms\/commerce","remoteId":"GHSA-3vxg-x5f8-f5qf","title":"Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments","link":"https:\/\/github.com\/advisories\/GHSA-3vxg-x5f8-f5qf","cve":"CVE-2026-32270","affectedVersions":"\u003E=4.0.0,\u003C=4.10.2|\u003E=5.0.0,\u003C=5.5.4","source":"GitHub","reportedAt":"2026-04-14 01:01:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3vxg-x5f8-f5qf"}]},{"advisoryId":"PKSA-nhg1-858f-sgm2","packageName":"craftcms\/commerce","remoteId":"GHSA-r54v-qq87-px5r","title":"Craft Commerce hasVariant\/hasProduct Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-r54v-qq87-px5r","cve":"CVE-2026-32272","affectedVersions":"\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-04-14 00:06:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r54v-qq87-px5r"}]},{"advisoryId":"PKSA-chpm-5f12-rdnt","packageName":"craftcms\/commerce","remoteId":"GHSA-875v-7m49-8x88","title":"Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget","link":"https:\/\/github.com\/advisories\/GHSA-875v-7m49-8x88","cve":"CVE-2026-32271","affectedVersions":"\u003E=5.0.0,\u003C=5.5.4|\u003E=4.0.0,\u003C=4.10.2","source":"GitHub","reportedAt":"2026-04-14 00:07:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-875v-7m49-8x88"}]}],"webonyx\/graphql-php":[{"advisoryId":"PKSA-7h5p-prw9-w5nr","packageName":"webonyx\/graphql-php","remoteId":"GHSA-68jq-c3rv-pcrr","title":"graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation","link":"https:\/\/github.com\/advisories\/GHSA-68jq-c3rv-pcrr","cve":"CVE-2026-40476","affectedVersions":"\u003C=15.31.4","source":"GitHub","reportedAt":"2026-04-14 01:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68jq-c3rv-pcrr"}]}],"rhukster\/dom-sanitizer":[{"advisoryId":"PKSA-x5pq-tgg3-vhtm","packageName":"rhukster\/dom-sanitizer","remoteId":"GHSA-93vf-569f-22cq","title":"rhukster\/dom-sanitizer: SVG \u003Cstyle\u003E tag allows CSS injection via unfiltered url() and @import directives","link":"https:\/\/github.com\/advisories\/GHSA-93vf-569f-22cq","cve":"CVE-2026-40301","affectedVersions":"\u003C1.0.10","source":"GitHub","reportedAt":"2026-04-10 21:08:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93vf-569f-22cq"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53|\u003C1.0.28","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]}],"redaxo\/source":[{"advisoryId":"PKSA-4w67-7bxw-yj96","packageName":"redaxo\/source","remoteId":"GHSA-m662-8jrj-cw6v","title":"REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-m662-8jrj-cw6v","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-m662-8jrj-cw6v"}]},{"advisoryId":"PKSA-ps7n-211c-nz3j","packageName":"redaxo\/source","remoteId":"GHSA-xq4j-g85q-wf97","title":"REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)","link":"https:\/\/github.com\/advisories\/GHSA-xq4j-g85q-wf97","cve":null,"affectedVersions":"\u003C5.21.0","source":"GitHub","reportedAt":"2026-04-10 19:40:42","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-xq4j-g85q-wf97"}]}],"kantorge\/yaffa":[{"advisoryId":"PKSA-bprf-j9w1-t7bq","packageName":"kantorge\/yaffa","remoteId":"GHSA-pq95-94c9-j987","title":"yaffa vulnerable to Cross Site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-pq95-94c9-j987","cve":"CVE-2025-70844","affectedVersions":"\u003C=2.0.0","source":"GitHub","reportedAt":"2026-04-07 18:31:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq95-94c9-j987"}]}],"laravel\/passport":[{"advisoryId":"PKSA-wc55-9qj2-7v4h","packageName":"laravel\/passport","remoteId":"GHSA-349c-2h2f-mxf6","title":"Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens","link":"https:\/\/github.com\/advisories\/GHSA-349c-2h2f-mxf6","cve":"CVE-2026-39976","affectedVersions":"\u003E=13.0.0,\u003C13.7.1","source":"GitHub","reportedAt":"2026-04-08 19:57:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-349c-2h2f-mxf6"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-wfcs-d3sq-n6dj","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-37fq-47qj-6j5j","title":"YesWiki has Persistent Blind XSS at \u0022\/?BazaR\u0026vue=consulter\u0022","link":"https:\/\/github.com\/advisories\/GHSA-37fq-47qj-6j5j","cve":"CVE-2026-34598","affectedVersions":"\u003C4.6.0","source":"GitHub","reportedAt":"2026-04-01 00:13:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-37fq-47qj-6j5j"}]}],"google\/protobuf":[{"advisoryId":"PKSA-tcfz-w4fm-hhk9","packageName":"google\/protobuf","remoteId":"GHSA-p2gh-cfq4-4wjc","title":"Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion","link":"https:\/\/github.com\/advisories\/GHSA-p2gh-cfq4-4wjc","cve":"CVE-2026-6409","affectedVersions":"\u003C4.33.6","source":"GitHub","reportedAt":"2026-03-25 21:02:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p2gh-cfq4-4wjc"}]}],"components\/jquery":[{"advisoryId":"PKSA-jvpv-pcrn-dfzc","packageName":"components\/jquery","remoteId":"GHSA-gxr4-xjj5-5px2","title":"Potential XSS vulnerability in jQuery","link":"https:\/\/github.com\/advisories\/GHSA-gxr4-xjj5-5px2","cve":"CVE-2020-11022","affectedVersions":"\u003E=1.12.0,\u003C3.5.0","source":"GitHub","reportedAt":"2020-04-29 22:18:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gxr4-xjj5-5px2"}]}]}}