{"advisories":{"coreshop\/core-shop":[{"advisoryId":"PKSA-9rch-wbbh-7nr6","packageName":"coreshop\/core-shop","remoteId":"GHSA-q58j-g3f4-h26h","title":"CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration","link":"https:\/\/github.com\/advisories\/GHSA-q58j-g3f4-h26h","cve":"CVE-2026-41249","affectedVersions":"=5.0.0","source":"GitHub","reportedAt":"2026-05-14 13:18:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q58j-g3f4-h26h"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-jw9z-qj9h-1drk","packageName":"getgrav\/grav","remoteId":"GHSA-j274-39qw-32c9","title":"Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()","link":"https:\/\/github.com\/advisories\/GHSA-j274-39qw-32c9","cve":"CVE-2026-44738","affectedVersions":"\u003C=2.0.0-rc.1","source":"GitHub","reportedAt":"2026-05-13 15:29:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j274-39qw-32c9"}]},{"advisoryId":"PKSA-pfs8-6ghq-nzcr","packageName":"getgrav\/grav","remoteId":"GHSA-fmg2-f5r9-24qc","title":"Grav: Stored XSS via page title (data[header][title]) in admin panel","link":"https:\/\/github.com\/advisories\/GHSA-fmg2-f5r9-24qc","cve":"CVE-2026-44737","affectedVersions":"\u003C1.7.49.5","source":"GitHub","reportedAt":"2026-05-08 19:38:00","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fmg2-f5r9-24qc"}]},{"advisoryId":"PKSA-jtpz-17pm-t9v9","packageName":"getgrav\/grav","remoteId":"GHSA-6xx2-m8wv-756h","title":"Low-privileged Grav API users can create super-admin accounts via blueprint-upload","link":"https:\/\/github.com\/advisories\/GHSA-6xx2-m8wv-756h","cve":"CVE-2026-42844","affectedVersions":"\u003C2.0.0-beta.4","source":"GitHub","reportedAt":"2026-05-06 21:19:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6xx2-m8wv-756h"}]},{"advisoryId":"PKSA-ncnf-tf1t-zhtj","packageName":"getgrav\/grav","remoteId":"GHSA-hmcx-ch82-3fv2","title":"Grav has Unauthenticated Path Traversal \u0026 Arbitrary File Write in its FormFlash component","link":"https:\/\/github.com\/advisories\/GHSA-hmcx-ch82-3fv2","cve":"CVE-2026-42608","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:34:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hmcx-ch82-3fv2"}]},{"advisoryId":"PKSA-59xg-9744-g5wz","packageName":"getgrav\/grav","remoteId":"GHSA-3446-6mgw-f79p","title":"Grav is Vulnerable to XXE via SVG Upload ","link":"https:\/\/github.com\/advisories\/GHSA-3446-6mgw-f79p","cve":null,"affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:35:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3446-6mgw-f79p"}]},{"advisoryId":"PKSA-sd9s-hpbv-6d8f","packageName":"getgrav\/grav","remoteId":"GHSA-w8cg-7jcj-4vv2","title":"Grav is Vulnerable to Stored XSS via Tag Injection","link":"https:\/\/github.com\/advisories\/GHSA-w8cg-7jcj-4vv2","cve":"CVE-2026-42611","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:36:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w8cg-7jcj-4vv2"}]},{"advisoryId":"PKSA-st6r-p3js-kbk7","packageName":"getgrav\/grav","remoteId":"GHSA-w48r-jppp-rcfw","title":"Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature","link":"https:\/\/github.com\/advisories\/GHSA-w48r-jppp-rcfw","cve":"CVE-2026-42607","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:21:10","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w48r-jppp-rcfw"}]},{"advisoryId":"PKSA-yx72-zyj1-gtxy","packageName":"getgrav\/grav","remoteId":"GHSA-r7fx-8g49-7hhr","title":"Grav CMS vulnerable to stored XSS via Markdown media attribute() action","link":"https:\/\/github.com\/advisories\/GHSA-r7fx-8g49-7hhr","cve":"CVE-2026-42841","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:24:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r7fx-8g49-7hhr"}]},{"advisoryId":"PKSA-ddbz-4vx4-q29g","packageName":"getgrav\/grav","remoteId":"GHSA-c2q3-p4jr-c55f","title":"Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-c2q3-p4jr-c55f","cve":"CVE-2026-42842","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:24:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c2q3-p4jr-c55f"}]},{"advisoryId":"PKSA-pzhx-ftqg-8fxh","packageName":"getgrav\/grav","remoteId":"GHSA-pxm6-mhxr-q4mj","title":"Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups\/access","link":"https:\/\/github.com\/advisories\/GHSA-pxm6-mhxr-q4mj","cve":"CVE-2026-42613","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:26:06","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-pxm6-mhxr-q4mj"}]},{"advisoryId":"PKSA-69wb-mt3g-24xp","packageName":"getgrav\/grav","remoteId":"GHSA-3f29-pqwf-v4j4","title":"Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass","link":"https:\/\/github.com\/advisories\/GHSA-3f29-pqwf-v4j4","cve":"CVE-2026-42610","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:26:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3f29-pqwf-v4j4"}]},{"advisoryId":"PKSA-dxs6-j3rv-n16d","packageName":"getgrav\/grav","remoteId":"GHSA-9695-8fr9-hw5q","title":"Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes","link":"https:\/\/github.com\/advisories\/GHSA-9695-8fr9-hw5q","cve":"CVE-2026-42612","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:27:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9695-8fr9-hw5q"}]},{"advisoryId":"PKSA-vnvp-8nvk-g8ck","packageName":"getgrav\/grav","remoteId":"GHSA-vj3m-2g9h-vm4p","title":"Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass","link":"https:\/\/github.com\/advisories\/GHSA-vj3m-2g9h-vm4p","cve":null,"affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:02","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vj3m-2g9h-vm4p"}]},{"advisoryId":"PKSA-t2z1-v63n-9cpk","packageName":"getgrav\/grav","remoteId":"GHSA-gwfr-jfjf-92vv","title":"Grav has Insecure Deserialization in File Cache","link":"https:\/\/github.com\/advisories\/GHSA-gwfr-jfjf-92vv","cve":"CVE-2026-7317","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:29","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gwfr-jfjf-92vv"}]},{"advisoryId":"PKSA-fchw-jdvj-kg96","packageName":"getgrav\/grav","remoteId":"GHSA-rr73-568v-28f8","title":"Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic","link":"https:\/\/github.com\/advisories\/GHSA-rr73-568v-28f8","cve":"CVE-2026-42609","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rr73-568v-28f8"}]}],"composer\/composer":[{"advisoryId":"PKSA-pwvr-3754-v57r","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-45793.yaml","title":"Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-f9f8-rm49-7jv2","cve":"CVE-2026-45793","affectedVersions":"\u003E=2.3,\u003C2.9.8|\u003E=2.0.0,\u003C2.2.28|\u003E=1.0,\u003C1.10.28","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-05-13 07:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-45793.yaml"}]},{"advisoryId":"PKSA-t5r2-p5q9-mtpn","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40261.yaml","title":"Command injection via malicious Perforce source reference\/url","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-gqw4-4w2p-838q","cve":"CVE-2026-40261","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40261.yaml"},{"name":"GitHub","remoteId":"GHSA-gqw4-4w2p-838q"}]},{"advisoryId":"PKSA-6bp1-9hfj-2cgv","packageName":"composer\/composer","remoteId":"composer\/composer\/CVE-2026-40176.yaml","title":"Command injection via malicious Perforce repository definition","link":"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-wg36-wvj6-r67p","cve":"CVE-2026-40176","affectedVersions":"\u003E=2.3,\u003C2.9.6|\u003E=1.0,\u003C2.2.27","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-14 09:42:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"composer\/composer\/CVE-2026-40176.yaml"},{"name":"GitHub","remoteId":"GHSA-wg36-wvj6-r67p"}]}],"krayin\/laravel-crm":[{"advisoryId":"PKSA-bfyk-wk4r-cjz9","packageName":"krayin\/laravel-crm","remoteId":"GHSA-j822-46r5-h4qx","title":"Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the \/admin\/activities\/create endpoint","link":"https:\/\/github.com\/advisories\/GHSA-j822-46r5-h4qx","cve":"CVE-2026-36341","affectedVersions":"=2.1.5","source":"GitHub","reportedAt":"2026-05-07 18:30:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j822-46r5-h4qx"}]},{"advisoryId":"PKSA-vkyr-b96k-z2ks","packageName":"krayin\/laravel-crm","remoteId":"GHSA-32px-ccfx-cxq3","title":"Krayin CRM allows a remote attacker to execute arbitrary code via compose email function","link":"https:\/\/github.com\/advisories\/GHSA-32px-ccfx-cxq3","cve":"CVE-2026-36340","affectedVersions":"=2.1.5","source":"GitHub","reportedAt":"2026-04-30 18:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-32px-ccfx-cxq3"}]},{"advisoryId":"PKSA-y1wv-79ht-f4db","packageName":"krayin\/laravel-crm","remoteId":"GHSA-rm5f-3c25-p4cw","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Controllers\/Lead\/LeadController.php","link":"https:\/\/github.com\/advisories\/GHSA-rm5f-3c25-p4cw","cve":"CVE-2026-38530","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rm5f-3c25-p4cw"}]},{"advisoryId":"PKSA-5xsp-55yb-hdyp","packageName":"krayin\/laravel-crm","remoteId":"GHSA-r8rp-5f55-5j9x","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Settings\/UserController.php","link":"https:\/\/github.com\/advisories\/GHSA-r8rp-5f55-5j9x","cve":"CVE-2026-38529","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r8rp-5f55-5j9x"}]},{"advisoryId":"PKSA-2w9z-jxqd-y35k","packageName":"krayin\/laravel-crm","remoteId":"GHSA-2xx8-j85v-j7wh","title":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the \/Contact\/Persons\/PersonController.php","link":"https:\/\/github.com\/advisories\/GHSA-2xx8-j85v-j7wh","cve":"CVE-2026-38532","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2xx8-j85v-j7wh"}]},{"advisoryId":"PKSA-gcg3-xvcm-8tz7","packageName":"krayin\/laravel-crm","remoteId":"GHSA-fpx9-9hq8-w2xc","title":"Webkul Krayin CRM has Server-Side Request Forgery (SSRF)","link":"https:\/\/github.com\/advisories\/GHSA-fpx9-9hq8-w2xc","cve":"CVE-2026-38527","affectedVersions":"\u003C=2.2.0","source":"GitHub","reportedAt":"2026-04-14 18:30:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fpx9-9hq8-w2xc"}]}],"mantisbt\/mantisbt":[{"advisoryId":"PKSA-x2q4-xdvd-5bhg","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-7mqj-8gj2-cg59","title":"MantisBT has Stored XSS on Move Attachments Admin Page","link":"https:\/\/github.com\/advisories\/GHSA-7mqj-8gj2-cg59","cve":"CVE-2026-44655","affectedVersions":"\u003E=1.3.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:40:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7mqj-8gj2-cg59"}]},{"advisoryId":"PKSA-2yw5-k1t7-1bg1","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-p6fr-rxq7-xcg8","title":"MantisBT Vulnerable to Stored XSS in File Download","link":"https:\/\/github.com\/advisories\/GHSA-p6fr-rxq7-xcg8","cve":"CVE-2026-44657","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:40:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p6fr-rxq7-xcg8"}]},{"advisoryId":"PKSA-9b5m-7bg5-xjqr","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-frf7-jhp9-jxm6","title":"MantisBT Vulnerable to Privilege Escalation from Manager to Administrator","link":"https:\/\/github.com\/advisories\/GHSA-frf7-jhp9-jxm6","cve":"CVE-2026-34390","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-frf7-jhp9-jxm6"}]},{"advisoryId":"PKSA-fybf-x73k-s1x5","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-fvjf-68wh-rwp2","title":"MantisBT is Vulnerable to Stored HTML Injection\/XSS in Clone Issue Form","link":"https:\/\/github.com\/advisories\/GHSA-fvjf-68wh-rwp2","cve":"CVE-2026-34463","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:11","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fvjf-68wh-rwp2"}]},{"advisoryId":"PKSA-wqq3-5hnc-g52v","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-ggw7-9675-6v4v","title":"MantisBT has an authorization bypass in private issue monitoring","link":"https:\/\/github.com\/advisories\/GHSA-ggw7-9675-6v4v","cve":"CVE-2026-34579","affectedVersions":"\u003E=2.26.1,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-ggw7-9675-6v4v"}]},{"advisoryId":"PKSA-mqx4-yq62-zbx3","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-rmp5-5jj7-gmvf","title":"MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue","link":"https:\/\/github.com\/advisories\/GHSA-rmp5-5jj7-gmvf","cve":"CVE-2026-34744","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:32:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rmp5-5jj7-gmvf"}]},{"advisoryId":"PKSA-vg9w-dq6n-8d9w","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-h4x5-gvx6-3rwc","title":"MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API","link":"https:\/\/github.com\/advisories\/GHSA-h4x5-gvx6-3rwc","cve":"CVE-2026-34754","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:33:06","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h4x5-gvx6-3rwc"}]},{"advisoryId":"PKSA-r5kj-njzm-rsnd","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-crmx-4p49-46m2","title":"MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked","link":"https:\/\/github.com\/advisories\/GHSA-crmx-4p49-46m2","cve":"CVE-2026-34970","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:33:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-crmx-4p49-46m2"}]},{"advisoryId":"PKSA-vqsr-dxg3-8yzy","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-qj6w-v29q-4rgx","title":"MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values","link":"https:\/\/github.com\/advisories\/GHSA-qj6w-v29q-4rgx","cve":"CVE-2026-39960","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qj6w-v29q-4rgx"}]},{"advisoryId":"PKSA-gt1y-4mwq-1fky","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-j3v9-553h-x28j","title":"MantisBT is Vulnerable to XSS leading to account takeover via updating a user\u0027s font family preference","link":"https:\/\/github.com\/advisories\/GHSA-j3v9-553h-x28j","cve":"CVE-2026-40596","affectedVersions":"\u003E=2.11.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j3v9-553h-x28j"}]},{"advisoryId":"PKSA-vmj5-ycv9-cm2v","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-9c3j-xm6v-j7j3","title":"MantisBT has a Content Security Policy bypass via attachments","link":"https:\/\/github.com\/advisories\/GHSA-9c3j-xm6v-j7j3","cve":"CVE-2026-40597","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:34:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9c3j-xm6v-j7j3"}]},{"advisoryId":"PKSA-gycx-g1kn-1tnd","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-6jh4-47v2-4g37","title":"MantisBT has Potential Referer-Based Reflected HTML Injection \/ XSS in Tag Update Page","link":"https:\/\/github.com\/advisories\/GHSA-6jh4-47v2-4g37","cve":"CVE-2026-40598","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:35:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6jh4-47v2-4g37"}]},{"advisoryId":"PKSA-j9zz-q8wb-jgsg","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-f633-865q-2mhh","title":"MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column","link":"https:\/\/github.com\/advisories\/GHSA-f633-865q-2mhh","cve":"CVE-2026-40607","affectedVersions":"\u003E=2.1.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:35:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f633-865q-2mhh"}]},{"advisoryId":"PKSA-p4dp-frh9-2khv","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-j7v9-f46r-2rp4","title":"MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field","link":"https:\/\/github.com\/advisories\/GHSA-j7v9-f46r-2rp4","cve":"CVE-2026-41897","affectedVersions":"\u003E=1.0.0,\u003C2.28.2","source":"GitHub","reportedAt":"2026-05-11 19:39:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j7v9-f46r-2rp4"}]},{"advisoryId":"PKSA-67ww-bjf6-fqgz","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-pq86-j2c2-47f6","title":"MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API","link":"https:\/\/github.com\/advisories\/GHSA-pq86-j2c2-47f6","cve":"CVE-2026-42070","affectedVersions":"\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:39:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pq86-j2c2-47f6"}]},{"advisoryId":"PKSA-d3fh-4w7k-rvy1","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-pw5x-2mf9-3xc8","title":"MantisBT has a Private Bugnote Attachment Content Leak via REST API","link":"https:\/\/github.com\/advisories\/GHSA-pw5x-2mf9-3xc8","cve":"CVE-2026-42071","affectedVersions":"\u003E=2.23.0,\u003C=2.28.1","source":"GitHub","reportedAt":"2026-05-11 19:39:43","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pw5x-2mf9-3xc8"}]},{"advisoryId":"PKSA-7hdg-8xc6-bhnt","packageName":"mantisbt\/mantisbt","remoteId":"GHSA-68w5-w573-q2r8","title":"MantisBT Has Authorization Bypass in Global Profile Creation","link":"https:\/\/github.com\/advisories\/GHSA-68w5-w573-q2r8","cve":"CVE-2026-33052","affectedVersions":"\u003E=2.28.0,\u003C2.28.2","source":"GitHub","reportedAt":"2026-05-11 17:58:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68w5-w573-q2r8"}]}],"yiisoft\/yii2":[{"advisoryId":"PKSA-mxtc-f5ct-dqqd","packageName":"yiisoft\/yii2","remoteId":"GHSA-5vpg-rj7q-qpw2","title":"Yii 2: Local file inclusion via view parameter name collision","link":"https:\/\/github.com\/advisories\/GHSA-5vpg-rj7q-qpw2","cve":"CVE-2026-39850","affectedVersions":"\u003C2.0.55","source":"GitHub","reportedAt":"2026-05-11 19:34:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-5vpg-rj7q-qpw2"}]}],"torrentpier\/torrentpier":[{"advisoryId":"PKSA-yfmp-ydrw-v24w","packageName":"torrentpier\/torrentpier","remoteId":"GHSA-h29g-c9cx-c73q","title":"torrentpier has PHP Serialize Injections","link":"https:\/\/github.com\/advisories\/GHSA-h29g-c9cx-c73q","cve":null,"affectedVersions":"\u003C=2.4.3","source":"GitHub","reportedAt":"2026-05-11 17:53:20","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-h29g-c9cx-c73q"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-zbps-xm91-whkn","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-rvwr-q5hj-wq7g","title":"Dolibarr has an Injection issue","link":"https:\/\/github.com\/advisories\/GHSA-rvwr-q5hj-wq7g","cve":"CVE-2026-7688","affectedVersions":"\u003C=23.0.2","source":"GitHub","reportedAt":"2026-05-03 12:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rvwr-q5hj-wq7g"}]},{"advisoryId":"PKSA-dxkr-sbbp-889v","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-jggh-5rmh-r6h5","title":"Dolibarr has Insufficient Verification of Data Authenticity ","link":"https:\/\/github.com\/advisories\/GHSA-jggh-5rmh-r6h5","cve":"CVE-2026-7689","affectedVersions":"\u003C=15.0.3","source":"GitHub","reportedAt":"2026-05-03 12:30:26","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jggh-5rmh-r6h5"}]},{"advisoryId":"PKSA-pnx2-khzh-yv6p","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-j2g9-rprv-hrhc","title":"Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions","link":"https:\/\/github.com\/advisories\/GHSA-j2g9-rprv-hrhc","cve":"CVE-2026-31019","affectedVersions":"\u003C=22.0.4","source":"GitHub","reportedAt":"2026-04-21 15:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j2g9-rprv-hrhc"}]},{"advisoryId":"PKSA-ntds-z6nr-8hyf","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-676v-wh57-p375","title":"Dolibarr Allows Code Injection through its Website Module","link":"https:\/\/github.com\/advisories\/GHSA-676v-wh57-p375","cve":"CVE-2026-31018","affectedVersions":"\u003C=15.0.3","source":"GitHub","reportedAt":"2026-04-21 15:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-676v-wh57-p375"}]},{"advisoryId":"PKSA-5yjp-cmsh-j9sp","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-xxxg-x793-7fq3","title":"Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php","link":"https:\/\/github.com\/advisories\/GHSA-xxxg-x793-7fq3","cve":"CVE-2019-25710","affectedVersions":"\u003C=8.0.4","source":"GitHub","reportedAt":"2026-04-12 15:30:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xxxg-x793-7fq3"}]},{"advisoryId":"PKSA-ncsd-s9tq-7bj2","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-w5j3-8fcr-h87w","title":"Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration","link":"https:\/\/github.com\/advisories\/GHSA-w5j3-8fcr-h87w","cve":"CVE-2026-23500","affectedVersions":"\u003C=22.0.4","source":"GitHub","reportedAt":"2026-04-17 21:24:48","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w5j3-8fcr-h87w"}]}],"studio-42\/elfinder":[{"advisoryId":"PKSA-42xd-jnjn-nrty","packageName":"studio-42\/elfinder","remoteId":"GHSA-c3gj-q88f-7hqj","title":"elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)","link":"https:\/\/github.com\/advisories\/GHSA-c3gj-q88f-7hqj","cve":"CVE-2026-44521","affectedVersions":"\u003C=2.1.67","source":"GitHub","reportedAt":"2026-05-11 16:11:31","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c3gj-q88f-7hqj"}]},{"advisoryId":"PKSA-2p87-h1j5-yb5n","packageName":"studio-42\/elfinder","remoteId":"GHSA-8q4h-8crm-5cvc","title":"elFinder: Command injection in resize background color parameter when using ImageMagick CLI","link":"https:\/\/github.com\/advisories\/GHSA-8q4h-8crm-5cvc","cve":"CVE-2026-41247","affectedVersions":"\u003C2.1.67","source":"GitHub","reportedAt":"2026-04-17 22:33:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8q4h-8crm-5cvc"}]}],"snipe\/snipe-it":[{"advisoryId":"PKSA-rnj3-1mvy-45m9","packageName":"snipe\/snipe-it","remoteId":"GHSA-mghp-5cq4-v6mg","title":"Snipe-IT has an open redirect vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-mghp-5cq4-v6mg","cve":"CVE-2026-44833","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 23:25:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mghp-5cq4-v6mg"}]},{"advisoryId":"PKSA-p5z5-yvbr-44mr","packageName":"snipe\/snipe-it","remoteId":"GHSA-xg82-2hrv-hf64","title":"Snipe-IT has insecure permissions in file uploads","link":"https:\/\/github.com\/advisories\/GHSA-xg82-2hrv-hf64","cve":"CVE-2026-37709","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 23:04:36","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xg82-2hrv-hf64"}]},{"advisoryId":"PKSA-t5t8-ptsk-b8c5","packageName":"snipe\/snipe-it","remoteId":"GHSA-r42m-953q-6vjx","title":"Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)","link":"https:\/\/github.com\/advisories\/GHSA-r42m-953q-6vjx","cve":"CVE-2026-44831","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 22:23:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r42m-953q-6vjx"}]},{"advisoryId":"PKSA-3w8f-xykp-s5ps","packageName":"snipe\/snipe-it","remoteId":"GHSA-hq28-crg7-95pr","title":"Snipe-IT has Privilege Escalation via API Permissions Assignment","link":"https:\/\/github.com\/advisories\/GHSA-hq28-crg7-95pr","cve":"CVE-2026-44832","affectedVersions":"\u003C8.4.1","source":"GitHub","reportedAt":"2026-05-08 22:24:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hq28-crg7-95pr"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-hzjv-c975-xrgc","packageName":"kimai\/kimai","remoteId":"GHSA-h5fh-7hwr-97mw","title":"Kimai has an arbitrary file read in its invoice PDF renderer (admin)","link":"https:\/\/github.com\/advisories\/GHSA-h5fh-7hwr-97mw","cve":"CVE-2026-44298","affectedVersions":"\u003E=2.32.0,\u003C=2.55","source":"GitHub","reportedAt":"2026-05-08 22:22:36","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h5fh-7hwr-97mw"}]},{"advisoryId":"PKSA-zy2k-4hm5-25gd","packageName":"kimai\/kimai","remoteId":"GHSA-vrqv-52x7-rm4v","title":"Kimai\u0027s Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice\/export templates","link":"https:\/\/github.com\/advisories\/GHSA-vrqv-52x7-rm4v","cve":null,"affectedVersions":"\u003C=2.55.0","source":"GitHub","reportedAt":"2026-05-06 18:42:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vrqv-52x7-rm4v"}]},{"advisoryId":"PKSA-5g91-2cyx-w1s8","packageName":"kimai\/kimai","remoteId":"GHSA-9g2q-w3w2-vf7q","title":"Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation","link":"https:\/\/github.com\/advisories\/GHSA-9g2q-w3w2-vf7q","cve":null,"affectedVersions":"\u003C=2.55.0","source":"GitHub","reportedAt":"2026-05-06 18:28:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9g2q-w3w2-vf7q"}]},{"advisoryId":"PKSA-z4ky-h9pc-hn66","packageName":"kimai\/kimai","remoteId":"GHSA-3xc2-h5r3-wv3r","title":"Kimai vulnerable to formula Injection via tag names in XLSX export","link":"https:\/\/github.com\/advisories\/GHSA-3xc2-h5r3-wv3r","cve":"CVE-2026-42267","affectedVersions":"\u003E=2.27.0,\u003C=2.53.0","source":"GitHub","reportedAt":"2026-05-05 20:53:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3xc2-h5r3-wv3r"}]},{"advisoryId":"PKSA-hb9p-xyj3-gfyj","packageName":"kimai\/kimai","remoteId":"GHSA-jv9x-w4gm-hwcm","title":"Kimai has Missing Object-Level Authorization in the Team API","link":"https:\/\/github.com\/advisories\/GHSA-jv9x-w4gm-hwcm","cve":"CVE-2026-41498","affectedVersions":"\u003C2.54.0","source":"GitHub","reportedAt":"2026-04-24 16:17:35","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jv9x-w4gm-hwcm"}]},{"advisoryId":"PKSA-v9zg-kkkv-rs7x","packageName":"kimai\/kimai","remoteId":"GHSA-jrc6-fmhw-fpq2","title":"Kimai: Username enumeration via timing on X-AUTH-USER","link":"https:\/\/github.com\/advisories\/GHSA-jrc6-fmhw-fpq2","cve":null,"affectedVersions":"\u003C=2.53.0","source":"GitHub","reportedAt":"2026-04-17 22:30:59","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jrc6-fmhw-fpq2"}]},{"advisoryId":"PKSA-ws9h-wxv9-tvcq","packageName":"kimai\/kimai","remoteId":"GHSA-g82g-m9vx-vhjg","title":"Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget","link":"https:\/\/github.com\/advisories\/GHSA-g82g-m9vx-vhjg","cve":"CVE-2026-40479","affectedVersions":"\u003C2.53.0","source":"GitHub","reportedAt":"2026-04-15 19:46:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g82g-m9vx-vhjg"}]},{"advisoryId":"PKSA-td5w-h5y4-9w1v","packageName":"kimai\/kimai","remoteId":"GHSA-qh43-xrjm-4ggp","title":"Kimai\u0027s User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate","link":"https:\/\/github.com\/advisories\/GHSA-qh43-xrjm-4ggp","cve":"CVE-2026-40486","affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-15 19:46:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qh43-xrjm-4ggp"}]},{"advisoryId":"PKSA-7mgs-q4t6-z3xx","packageName":"kimai\/kimai","remoteId":"GHSA-3jp4-mhh4-gcgr","title":"Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler","link":"https:\/\/github.com\/advisories\/GHSA-3jp4-mhh4-gcgr","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:06","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3jp4-mhh4-gcgr"}]},{"advisoryId":"PKSA-k88g-1gqq-x96c","packageName":"kimai\/kimai","remoteId":"GHSA-rh42-6rj2-xwmc","title":"Kimai leaks API Token Hash via Invoice Twig Template","link":"https:\/\/github.com\/advisories\/GHSA-rh42-6rj2-xwmc","cve":null,"affectedVersions":"\u003C=2.52.0","source":"GitHub","reportedAt":"2026-04-14 01:06:25","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rh42-6rj2-xwmc"}]}],"devcode-it\/openstamanager":[{"advisoryId":"PKSA-4d6v-4cnw-287h","packageName":"devcode-it\/openstamanager","remoteId":"GHSA-rm34-fg4m-39mw","title":"OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality ","link":"https:\/\/github.com\/advisories\/GHSA-rm34-fg4m-39mw","cve":"CVE-2026-38751","affectedVersions":"\u003C=2.10-beta","source":"GitHub","reportedAt":"2026-05-04 21:30:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rm34-fg4m-39mw"}]}],"prestashop\/prestashop":[{"advisoryId":"PKSA-f9zy-1yrp-415w","packageName":"prestashop\/prestashop","remoteId":"GHSA-w9f3-qc75-qgx9","title":"PrestaShop has a stored XSS executable in customer service view","link":"https:\/\/github.com\/advisories\/GHSA-w9f3-qc75-qgx9","cve":"CVE-2026-44212","affectedVersions":"\u003E=9.0.0,\u003C9.1.1|\u003C8.2.6","source":"GitHub","reportedAt":"2026-05-08 16:54:22","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w9f3-qc75-qgx9"}]}],"funadmin\/funadmin":[{"advisoryId":"PKSA-1r81-6z2f-xhbh","packageName":"funadmin\/funadmin","remoteId":"GHSA-qhh7-263p-54r3","title":"Funadmin has an Improper Access Control Issue","link":"https:\/\/github.com\/advisories\/GHSA-qhh7-263p-54r3","cve":"CVE-2026-7733","affectedVersions":"\u003C=7.1.0-rc6","source":"GitHub","reportedAt":"2026-05-04 06:32:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qhh7-263p-54r3"}]}],"web-auth\/webauthn-framework":[{"advisoryId":"PKSA-3b1p-96n1-3rfh","packageName":"web-auth\/webauthn-framework","remoteId":"GHSA-h4fw-6r7f-w494","title":"Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy","link":"https:\/\/github.com\/advisories\/GHSA-h4fw-6r7f-w494","cve":null,"affectedVersions":"\u003E=5.3.0,\u003C5.3.1","source":"GitHub","reportedAt":"2026-05-07 21:05:33","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-h4fw-6r7f-w494"}]}],"facturascripts\/facturascripts":[{"advisoryId":"PKSA-jz8v-9c91-p1x8","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-vrxf-vrc4-22p7","title":"FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint","link":"https:\/\/github.com\/advisories\/GHSA-vrxf-vrc4-22p7","cve":"CVE-2026-42878","affectedVersions":"\u003E=2026,\u003C=2026.1","source":"GitHub","reportedAt":"2026-05-07 19:43:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vrxf-vrc4-22p7"}]},{"advisoryId":"PKSA-rs14-58cq-g5jg","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-vf3q-frmr-vrr9","title":"FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images","link":"https:\/\/github.com\/advisories\/GHSA-vf3q-frmr-vrr9","cve":"CVE-2026-42879","affectedVersions":"\u003C=2025.81","source":"GitHub","reportedAt":"2026-05-07 19:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vf3q-frmr-vrr9"}]},{"advisoryId":"PKSA-xfzw-dtp7-gwj8","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-3pgc-xqg9-cfr6","title":"FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin Upload Mechanism","link":"https:\/\/github.com\/advisories\/GHSA-3pgc-xqg9-cfr6","cve":"CVE-2026-27891","affectedVersions":"\u003C=2025.71","source":"GitHub","reportedAt":"2026-05-07 19:32:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3pgc-xqg9-cfr6"}]},{"advisoryId":"PKSA-zck8-p11k-g1qj","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-q7f2-rv22-2xgr","title":"FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload\/Download","link":"https:\/\/github.com\/advisories\/GHSA-q7f2-rv22-2xgr","cve":"CVE-2026-27892","affectedVersions":"\u003C=2025.81","source":"GitHub","reportedAt":"2026-05-07 19:33:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q7f2-rv22-2xgr"}]},{"advisoryId":"PKSA-qm4y-jdfc-4pmf","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-gq5c-rw37-g46c","title":"FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation","link":"https:\/\/github.com\/advisories\/GHSA-gq5c-rw37-g46c","cve":"CVE-2026-27964","affectedVersions":"\u003C=2025.71","source":"GitHub","reportedAt":"2026-05-07 19:34:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-gq5c-rw37-g46c"}]},{"advisoryId":"PKSA-1ktk-zddg-2f2s","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-r736-2678-fcrx","title":"FacturaScripts vulnerable to stored XSS via product reference in sales\/purchases","link":"https:\/\/github.com\/advisories\/GHSA-r736-2678-fcrx","cve":"CVE-2026-42877","affectedVersions":"\u003C=2025.92","source":"GitHub","reportedAt":"2026-05-07 19:37:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r736-2678-fcrx"}]},{"advisoryId":"PKSA-8tbv-2p1s-9wnk","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-pp79-hqv6-vmc3","title":"FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable \u0027nick\u0027 Field","link":"https:\/\/github.com\/advisories\/GHSA-pp79-hqv6-vmc3","cve":"CVE-2026-32699","affectedVersions":"\u003C=2024.92.x-dev","source":"GitHub","reportedAt":"2026-04-28 22:39:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pp79-hqv6-vmc3"}]}],"mix\/mix":[{"advisoryId":"PKSA-vrn6-t5ym-qs6h","packageName":"mix\/mix","remoteId":"GHSA-vf35-8m4j-gm8v","title":"MixPHP Framework has an SQL injection vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-vf35-8m4j-gm8v","cve":"CVE-2026-42475","affectedVersions":"\u003E=2.0.0,\u003C=2.2.17","source":"GitHub","reportedAt":"2026-05-01 18:31:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vf35-8m4j-gm8v"}]},{"advisoryId":"PKSA-rnvq-qnrp-k5ms","packageName":"mix\/mix","remoteId":"GHSA-q57j-rwwx-7rwp","title":"MixPHP Framework has an SQL injection vulnerability via crafted `data` array","link":"https:\/\/github.com\/advisories\/GHSA-q57j-rwwx-7rwp","cve":"CVE-2026-42474","affectedVersions":"\u003E=2.0.0,\u003C=2.2.17","source":"GitHub","reportedAt":"2026-05-01 18:31:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-q57j-rwwx-7rwp"}]}],"intercom\/intercom-php":[{"advisoryId":"PKSA-gwt3-5dgf-97fx","packageName":"intercom\/intercom-php","remoteId":"GHSA-gr3r-crp5-qrrm","title":"Compromised tag of intercom-php published via GitHub","link":"https:\/\/github.com\/advisories\/GHSA-gr3r-crp5-qrrm","cve":null,"affectedVersions":"=5.0.2","source":"GitHub","reportedAt":"2026-05-07 16:48:41","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gr3r-crp5-qrrm"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-dpw9-65w1-pksf","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-j2rx-4jg9-79mw","title":"Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type","link":"https:\/\/github.com\/advisories\/GHSA-j2rx-4jg9-79mw","cve":"CVE-2026-38991","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j2rx-4jg9-79mw"}]},{"advisoryId":"PKSA-gx1h-274c-423s","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-p46p-7pmj-m34f","title":"Cockpit is vulnerable to directory traversal","link":"https:\/\/github.com\/advisories\/GHSA-p46p-7pmj-m34f","cve":"CVE-2026-38993","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p46p-7pmj-m34f"}]},{"advisoryId":"PKSA-496r-cnzn-ck12","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-fm6c-rhcf-7439","title":"Cockpit is vulnerable to arbitrary code execution","link":"https:\/\/github.com\/advisories\/GHSA-fm6c-rhcf-7439","cve":"CVE-2026-38992","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 15:30:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fm6c-rhcf-7439"}]},{"advisoryId":"PKSA-qffw-6vr2-p3h9","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-5pv2-86qj-5jf9","title":"Cockpit has NoSQL Injection Through Content Aggregation Pipelines","link":"https:\/\/github.com\/advisories\/GHSA-5pv2-86qj-5jf9","cve":"CVE-2026-6626","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-20 12:32:01","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5pv2-86qj-5jf9"}]}],"getgrav\/grav-plugin-form":[{"advisoryId":"PKSA-t8zh-nz62-2js9","packageName":"getgrav\/grav-plugin-form","remoteId":"GHSA-w4rc-p66m-x6qq","title":"Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override","link":"https:\/\/github.com\/advisories\/GHSA-w4rc-p66m-x6qq","cve":"CVE-2026-42845","affectedVersions":"\u003C9.1.0","source":"GitHub","reportedAt":"2026-05-06 23:03:13","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w4rc-p66m-x6qq"}]}],"bagisto\/bagisto":[{"advisoryId":"PKSA-fphw-3zcz-ygcb","packageName":"bagisto\/bagisto","remoteId":"GHSA-65fp-7g2v-658r","title":"Bagisto affected by Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-65fp-7g2v-658r","cve":"CVE-2026-6745","affectedVersions":"\u003C=2.3.15","source":"GitHub","reportedAt":"2026-04-21 21:31:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-65fp-7g2v-658r"}]},{"advisoryId":"PKSA-5txd-q8wz-njb7","packageName":"bagisto\/bagisto","remoteId":"GHSA-x3f9-vcp2-hgcw","title":"Bagisto affected by Server-Side Request Forgery","link":"https:\/\/github.com\/advisories\/GHSA-x3f9-vcp2-hgcw","cve":"CVE-2026-6744","affectedVersions":"\u003C=2.3.15","source":"GitHub","reportedAt":"2026-04-21 21:31:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x3f9-vcp2-hgcw"}]}],"flightphp\/core":[{"advisoryId":"PKSA-wvkx-qqd9-sqb6","packageName":"flightphp\/core","remoteId":"GHSA-fcx8-ph5r-mxr4","title":"Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() ","link":"https:\/\/github.com\/advisories\/GHSA-fcx8-ph5r-mxr4","cve":"CVE-2026-42548","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:34:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fcx8-ph5r-mxr4"}]},{"advisoryId":"PKSA-1wr3-jdqm-7ppr","packageName":"flightphp\/core","remoteId":"GHSA-3xjv-pmf2-gf2q","title":"Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root","link":"https:\/\/github.com\/advisories\/GHSA-3xjv-pmf2-gf2q","cve":"CVE-2026-42549","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:34:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3xjv-pmf2-gf2q"}]},{"advisoryId":"PKSA-jtc2-k2n3-ck2b","packageName":"flightphp\/core","remoteId":"GHSA-xwqr-rcqg-22mr","title":"Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert \/ update \/ delete","link":"https:\/\/github.com\/advisories\/GHSA-xwqr-rcqg-22mr","cve":"CVE-2026-42550","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:35:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xwqr-rcqg-22mr"}]},{"advisoryId":"PKSA-w12s-8pdm-4hrq","packageName":"flightphp\/core","remoteId":"GHSA-vxrr-w42w-w76g","title":"Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass","link":"https:\/\/github.com\/advisories\/GHSA-vxrr-w42w-w76g","cve":"CVE-2026-42551","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:38:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vxrr-w42w-w76g"}]},{"advisoryId":"PKSA-c4m3-5zjm-wjht","packageName":"flightphp\/core","remoteId":"GHSA-qrch-52m5-vv85","title":"Flight vulnerable to sensitive information disclosure via default error handler","link":"https:\/\/github.com\/advisories\/GHSA-qrch-52m5-vv85","cve":"CVE-2026-42552","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:39:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qrch-52m5-vv85"}]}],"statamic\/cms":[{"advisoryId":"PKSA-ynr1-y6st-8cwm","packageName":"statamic\/cms","remoteId":"GHSA-m24v-f7g5-gq67","title":"Statamic CMS vulnerable to email enumeration via forgot password endpoint","link":"https:\/\/github.com\/advisories\/GHSA-m24v-f7g5-gq67","cve":"CVE-2026-44306","affectedVersions":"\u003E=6.0.0,\u003C6.15.0|\u003C5.73.21","source":"GitHub","reportedAt":"2026-05-06 20:54:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m24v-f7g5-gq67"}]},{"advisoryId":"PKSA-yx2m-bjk3-fnky","packageName":"statamic\/cms","remoteId":"GHSA-4jjr-vmv7-wh4w","title":"Statamic: Unsafe method invocation via query value resolution allows data destruction","link":"https:\/\/github.com\/advisories\/GHSA-4jjr-vmv7-wh4w","cve":"CVE-2026-41175","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.13.0|\u003C5.73.20","source":"GitHub","reportedAt":"2026-04-16 21:25:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jjr-vmv7-wh4w"}]}],"openmage\/magento-lts":[{"advisoryId":"PKSA-j61z-h6ts-jp8k","packageName":"openmage\/magento-lts","remoteId":"GHSA-x8jv-q8j2-487c","title":"Magento LTS: Reflected XSS - Import -\u003E Data Flow (profiles) ","link":"https:\/\/github.com\/advisories\/GHSA-x8jv-q8j2-487c","cve":"CVE-2026-42458","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-06 20:57:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x8jv-q8j2-487c"}]},{"advisoryId":"PKSA-3c4m-s9d4-ycyr","packageName":"openmage\/magento-lts","remoteId":"GHSA-qpgq-5g92-j5q8","title":"Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`","link":"https:\/\/github.com\/advisories\/GHSA-qpgq-5g92-j5q8","cve":"CVE-2026-42207","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-05 20:11:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qpgq-5g92-j5q8"}]},{"advisoryId":"PKSA-qjnm-jjkr-qktb","packageName":"openmage\/magento-lts","remoteId":"GHSA-2cwr-gcf9-pvxr","title":"Magento LTS has Weak API Session ID \u2014 Predictable MD5 of Time-Derived Inputs","link":"https:\/\/github.com\/advisories\/GHSA-2cwr-gcf9-pvxr","cve":"CVE-2026-42155","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-05 19:35:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-2cwr-gcf9-pvxr"}]},{"advisoryId":"PKSA-ctbx-q2cr-ntvc","packageName":"openmage\/magento-lts","remoteId":"GHSA-3j5q-7q7h-2hhv","title":"OpenMage LTS: Customer File Upload Extension Blocklist Bypass \u2192 Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-3j5q-7q7h-2hhv","cve":"CVE-2026-40488","affectedVersions":"\u003C=20.16.0","source":"GitHub","reportedAt":"2026-04-21 18:53:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3j5q-7q7h-2hhv"}]},{"advisoryId":"PKSA-sg96-p97c-1769","packageName":"openmage\/magento-lts","remoteId":"GHSA-665x-ppc4-685w","title":"OpenMage LTS: Cross-user wishlist import leads to private option \u0026 file disclosure","link":"https:\/\/github.com\/advisories\/GHSA-665x-ppc4-685w","cve":"CVE-2026-40098","affectedVersions":"\u003C20.17.0","source":"GitHub","reportedAt":"2026-04-21 15:20:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-665x-ppc4-685w"}]},{"advisoryId":"PKSA-w28m-jx16-bpbn","packageName":"openmage\/magento-lts","remoteId":"GHSA-fg79-cr9c-7369","title":"OpenMage LTS: Phar Deserialization leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-fg79-cr9c-7369","cve":"CVE-2026-25524","affectedVersions":"\u003C20.17.0","source":"GitHub","reportedAt":"2026-04-21 14:32:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fg79-cr9c-7369"}]},{"advisoryId":"PKSA-t8bb-kchx-xyxb","packageName":"openmage\/magento-lts","remoteId":"GHSA-6vqf-6fhm-7rc6","title":"OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module","link":"https:\/\/github.com\/advisories\/GHSA-6vqf-6fhm-7rc6","cve":"CVE-2026-25525","affectedVersions":"\u003C20.17.0","source":"GitHub","reportedAt":"2026-04-21 14:35:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6vqf-6fhm-7rc6"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-q6mm-vp1w-mgjs","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-n87n-9t5q-zcf5","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-k9ft-9rnh-h8dn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-djzh-dx9x-j5hd","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-trv8-7xnx-t8d9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-198b-7kr6-ksdh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-42b7-bh2b-d7nn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-pmsp-dtdj-k1f9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-1zxw-krpv-74xh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-b77f-s5cd-b1qh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-p58s-jb5m-qycz","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-7cx3-2qx2-3g6w","title":"phpMyFAQ\u0027s Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-7cx3-2qx2-3g6w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:12:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cx3-2qx2-3g6w"}]},{"advisoryId":"PKSA-jr2y-dd2x-qtks","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-sw8q-jkxw-m11r","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-6pt5-mfr3-5b72","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-r4gq-dd3d-gxrj","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-76kk-7mdh-r8h5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-tvkw-wcnm-h63h","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-6nrc-qfr1-rds3","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-7dk8-b5d5-n9bf","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-v8r2-1321-xzpp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-n88j-cgtd-2fvg","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-vm8f-6283-2vfw","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-8syh-w2cp-tqks","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-117q-9kx2-kjzm","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-7cx3-2qx2-3g6w","title":"phpMyFAQ\u0027s Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-7cx3-2qx2-3g6w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:12:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cx3-2qx2-3g6w"}]},{"advisoryId":"PKSA-6zc3-3brt-ftsh","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-jn65-sph2-9wn9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"dedoc\/scramble":[{"advisoryId":"PKSA-kb5d-bgb1-8ykp","packageName":"dedoc\/scramble","remoteId":"GHSA-4rm2-28vj-fj39","title":"Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules","link":"https:\/\/github.com\/advisories\/GHSA-4rm2-28vj-fj39","cve":"CVE-2026-44262","affectedVersions":"\u003E=0.13.2,\u003C=0.13.21","source":"GitHub","reportedAt":"2026-05-06 19:54:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-4rm2-28vj-fj39"}]},{"advisoryId":"PKSA-qgg1-cfs4-rkb8","packageName":"dedoc\/scramble","remoteId":"dedoc\/scramble\/2026-04-28.yaml","title":"Remote code execution via evaluation of user-controlled input in validation rules","link":"https:\/\/github.com\/dedoc\/scramble\/security\/advisories\/GHSA-4rm2-28vj-fj39","cve":null,"affectedVersions":"\u003E=0.13.2,\u003C0.13.22","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-28 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"dedoc\/scramble\/2026-04-28.yaml"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-m2yg-zp8k-8hxj","packageName":"pimcore\/pimcore","remoteId":"GHSA-7gxw-q9j5-mrj4","title":"Pimcore has an authenticated Cross-site Scripting issue","link":"https:\/\/github.com\/advisories\/GHSA-7gxw-q9j5-mrj4","cve":"CVE-2026-5362","affectedVersions":"=12.3.3","source":"GitHub","reportedAt":"2026-04-27 21:31:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7gxw-q9j5-mrj4"}]},{"advisoryId":"PKSA-vp19-ydt7-tws9","packageName":"pimcore\/pimcore","remoteId":"GHSA-c8g3-x47w-8q7p","title":"Pimcore admin users can trigger SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-c8g3-x47w-8q7p","cve":"CVE-2026-5394","affectedVersions":"=12.3.3","source":"GitHub","reportedAt":"2026-04-27 21:31:02","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c8g3-x47w-8q7p"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-7b21-z11x-97gc","packageName":"craftcms\/cms","remoteId":"GHSA-qrgm-p9w5-rrfw","title":"Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior","link":"https:\/\/github.com\/advisories\/GHSA-qrgm-p9w5-rrfw","cve":"CVE-2026-44011","affectedVersions":"\u003E=5.0.0,\u003C5.9.18|\u003E=4.0.0,\u003C4.17.12","source":"GitHub","reportedAt":"2026-05-06 17:54:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qrgm-p9w5-rrfw"}]},{"advisoryId":"PKSA-tj2m-c963-6jtt","packageName":"craftcms\/cms","remoteId":"GHSA-33m5-hqp9-97pw","title":"Craft CMS\u0027s Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-33m5-hqp9-97pw","cve":"CVE-2026-44012","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.18","source":"GitHub","reportedAt":"2026-05-06 17:54:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-33m5-hqp9-97pw"}]},{"advisoryId":"PKSA-sxz1-z4jg-2vhh","packageName":"craftcms\/cms","remoteId":"GHSA-gj2p-p9m4-c8gw","title":"Craft CMS\u0027s Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-gj2p-p9m4-c8gw","cve":"CVE-2026-44010","affectedVersions":"\u003E=4.0.0,\u003C4.17.12|\u003E=5.0.0,\u003C5.9.18","source":"GitHub","reportedAt":"2026-05-06 17:49:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gj2p-p9m4-c8gw"}]},{"advisoryId":"PKSA-dmwd-n76s-m3f9","packageName":"craftcms\/cms","remoteId":"GHSA-jq2f-59pj-p3m3","title":"Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action","link":"https:\/\/github.com\/advisories\/GHSA-jq2f-59pj-p3m3","cve":"CVE-2026-41128","affectedVersions":"\u003E=5.6.0,\u003C5.9.15","source":"GitHub","reportedAt":"2026-04-14 23:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jq2f-59pj-p3m3"}]},{"advisoryId":"PKSA-wb3t-ts8t-d4cj","packageName":"craftcms\/cms","remoteId":"GHSA-3m9m-24vh-39wx","title":"Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations","link":"https:\/\/github.com\/advisories\/GHSA-3m9m-24vh-39wx","cve":"CVE-2026-41129","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:35:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3m9m-24vh-39wx"}]},{"advisoryId":"PKSA-ntd3-69q5-4cfy","packageName":"craftcms\/cms","remoteId":"GHSA-95wr-3f2v-v2wh","title":"Craft CMS has a host header injection leading to SSRF via resource-js endpoint","link":"https:\/\/github.com\/advisories\/GHSA-95wr-3f2v-v2wh","cve":"CVE-2026-41130","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:36:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-95wr-3f2v-v2wh"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-fx66-ws43-zr1x","packageName":"wwbn\/avideo","remoteId":"GHSA-xr49-f4rh-qcjf","title":"AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization","link":"https:\/\/github.com\/advisories\/GHSA-xr49-f4rh-qcjf","cve":"CVE-2026-43885","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:20:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xr49-f4rh-qcjf"}]},{"advisoryId":"PKSA-81bf-8cfg-hbh2","packageName":"wwbn\/avideo","remoteId":"GHSA-mwgh-92m2-wvhv","title":"AVideo: Unauthenticated CRLF\/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-mwgh-92m2-wvhv","cve":"CVE-2026-43882","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:14:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mwgh-92m2-wvhv"}]},{"advisoryId":"PKSA-45d7-4cq7-wyg1","packageName":"wwbn\/avideo","remoteId":"GHSA-958h-qp3x-q4gj","title":"AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements","link":"https:\/\/github.com\/advisories\/GHSA-958h-qp3x-q4gj","cve":"CVE-2026-43883","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:16:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-958h-qp3x-q4gj"}]},{"advisoryId":"PKSA-458v-1gr5-bf2y","packageName":"wwbn\/avideo","remoteId":"GHSA-2hch-c97c-g99x","title":"AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()","link":"https:\/\/github.com\/advisories\/GHSA-2hch-c97c-g99x","cve":"CVE-2026-43884","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:16:33","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2hch-c97c-g99x"}]},{"advisoryId":"PKSA-m1k1-6n5g-5skj","packageName":"wwbn\/avideo","remoteId":"GHSA-6rvw-7p8v-mjfq","title":"AVideo: Unauthenticated User Enumeration in objects\/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction","link":"https:\/\/github.com\/advisories\/GHSA-6rvw-7p8v-mjfq","cve":"CVE-2026-43881","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:02:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6rvw-7p8v-mjfq"}]},{"advisoryId":"PKSA-7c98-nyt4-qt25","packageName":"wwbn\/avideo","remoteId":"GHSA-5hgj-7gm9-cff5","title":"AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site\u2019s Legitimate From Address","link":"https:\/\/github.com\/advisories\/GHSA-5hgj-7gm9-cff5","cve":"CVE-2026-43880","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 21:56:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hgj-7gm9-cff5"}]},{"advisoryId":"PKSA-n1mw-ddw6-yyqd","packageName":"wwbn\/avideo","remoteId":"GHSA-wp38-whx3-xffh","title":"AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass","link":"https:\/\/github.com\/advisories\/GHSA-wp38-whx3-xffh","cve":"CVE-2026-43879","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 21:49:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wp38-whx3-xffh"}]},{"advisoryId":"PKSA-71gv-fx3g-ynk8","packageName":"wwbn\/avideo","remoteId":"GHSA-g9cm-rxp7-6gv5","title":"AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers","link":"https:\/\/github.com\/advisories\/GHSA-g9cm-rxp7-6gv5","cve":"CVE-2026-43876","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:11:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g9cm-rxp7-6gv5"}]},{"advisoryId":"PKSA-7rzh-pwkp-t841","packageName":"wwbn\/avideo","remoteId":"GHSA-jw8g-5j46-44rp","title":"AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users\u0027 Profile Photos with Arbitrary Content","link":"https:\/\/github.com\/advisories\/GHSA-jw8g-5j46-44rp","cve":"CVE-2026-43877","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:13:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jw8g-5j46-44rp"}]},{"advisoryId":"PKSA-x5f2-6rvc-vhkd","packageName":"wwbn\/avideo","remoteId":"GHSA-mm5f-8q57-4fc4","title":"Video: Reflected XSS in plugin\/Meet\/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal","link":"https:\/\/github.com\/advisories\/GHSA-mm5f-8q57-4fc4","cve":"CVE-2026-43878","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:15:56","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mm5f-8q57-4fc4"}]},{"advisoryId":"PKSA-15fj-zg4r-zsnq","packageName":"wwbn\/avideo","remoteId":"GHSA-ghcv-22jf-vfxm","title":"AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg[\u0027json\u0027]` Relay Bypass","link":"https:\/\/github.com\/advisories\/GHSA-ghcv-22jf-vfxm","cve":"CVE-2026-43874","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:07:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghcv-22jf-vfxm"}]},{"advisoryId":"PKSA-dbh3-mg7m-c1nc","packageName":"wwbn\/avideo","remoteId":"GHSA-5w8w-26ch-v5cw","title":"AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-5w8w-26ch-v5cw","cve":"CVE-2026-43875","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:08:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5w8w-26ch-v5cw"}]},{"advisoryId":"PKSA-5tbj-dcxw-w2wv","packageName":"wwbn\/avideo","remoteId":"GHSA-qm9p-p5pw-jrx2","title":"AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server","link":"https:\/\/github.com\/advisories\/GHSA-qm9p-p5pw-jrx2","cve":"CVE-2026-43873","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 18:58:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qm9p-p5pw-jrx2"}]},{"advisoryId":"PKSA-z3t4-4xbz-b3c9","packageName":"wwbn\/avideo","remoteId":"GHSA-xr6f-h4x7-r6qp","title":"WWBN AVideo: RCE cause by clonesite plugin","link":"https:\/\/github.com\/advisories\/GHSA-xr6f-h4x7-r6qp","cve":"CVE-2026-41304","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-16 21:25:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xr6f-h4x7-r6qp"}]},{"advisoryId":"PKSA-q934-7bnb-4bby","packageName":"wwbn\/avideo","remoteId":"GHSA-5879-4fmr-xwf2","title":"WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-5879-4fmr-xwf2","cve":"CVE-2026-41058","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:21:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5879-4fmr-xwf2"}]},{"advisoryId":"PKSA-8cks-7g1w-tz19","packageName":"wwbn\/avideo","remoteId":"GHSA-j432-4w3j-3w8j","title":"WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL","link":"https:\/\/github.com\/advisories\/GHSA-j432-4w3j-3w8j","cve":"CVE-2026-41060","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j432-4w3j-3w8j"}]},{"advisoryId":"PKSA-gxyd-jpvf-3ngj","packageName":"wwbn\/avideo","remoteId":"GHSA-8pv3-29pp-pf8f","title":"WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver","link":"https:\/\/github.com\/advisories\/GHSA-8pv3-29pp-pf8f","cve":"CVE-2026-41061","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8pv3-29pp-pf8f"}]},{"advisoryId":"PKSA-pt2z-fxr4-fvmc","packageName":"wwbn\/avideo","remoteId":"GHSA-m63r-m9jh-3vc6","title":"WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters","link":"https:\/\/github.com\/advisories\/GHSA-m63r-m9jh-3vc6","cve":"CVE-2026-41062","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:23:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m63r-m9jh-3vc6"}]},{"advisoryId":"PKSA-gvmz-qdx4-njzh","packageName":"wwbn\/avideo","remoteId":"GHSA-m7r8-6q9j-m2hc","title":"WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS","link":"https:\/\/github.com\/advisories\/GHSA-m7r8-6q9j-m2hc","cve":"CVE-2026-41063","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:25:28","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m7r8-6q9j-m2hc"}]},{"advisoryId":"PKSA-v7bq-jd15-qdrz","packageName":"wwbn\/avideo","remoteId":"GHSA-pq8p-wc4f-vg7j","title":"WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-pq8p-wc4f-vg7j","cve":"CVE-2026-41064","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:27:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pq8p-wc4f-vg7j"}]},{"advisoryId":"PKSA-nfcd-g6c3-5tff","packageName":"wwbn\/avideo","remoteId":"GHSA-vvfw-4m39-fjqf","title":"WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials","link":"https:\/\/github.com\/advisories\/GHSA-vvfw-4m39-fjqf","cve":"CVE-2026-40925","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vvfw-4m39-fjqf"}]},{"advisoryId":"PKSA-ttj4-18vr-tsp9","packageName":"wwbn\/avideo","remoteId":"GHSA-ffw8-fwxp-h64w","title":"WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)","link":"https:\/\/github.com\/advisories\/GHSA-ffw8-fwxp-h64w","cve":"CVE-2026-40926","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffw8-fwxp-h64w"}]},{"advisoryId":"PKSA-k36z-m2m9-7f9w","packageName":"wwbn\/avideo","remoteId":"GHSA-x2pw-9c38-cp2j","title":"WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion","link":"https:\/\/github.com\/advisories\/GHSA-x2pw-9c38-cp2j","cve":"CVE-2026-40928","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x2pw-9c38-cp2j"}]},{"advisoryId":"PKSA-8nj2-vhcz-7bc5","packageName":"wwbn\/avideo","remoteId":"GHSA-8qm8-g55h-xmqr","title":"WWBN AVideo is missing CSRF protection in objects\/commentDelete.json.php enables mass comment deletion against moderators and content creators","link":"https:\/\/github.com\/advisories\/GHSA-8qm8-g55h-xmqr","cve":"CVE-2026-40929","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8qm8-g55h-xmqr"}]},{"advisoryId":"PKSA-k6wt-ck7m-8514","packageName":"wwbn\/avideo","remoteId":"GHSA-hg7g-56h5-5pqr","title":"CAPTCHA Bypass in WWBN\/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure","link":"https:\/\/github.com\/advisories\/GHSA-hg7g-56h5-5pqr","cve":"CVE-2026-40935","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg7g-56h5-5pqr"}]},{"advisoryId":"PKSA-zgmc-4215-ztzk","packageName":"wwbn\/avideo","remoteId":"GHSA-793q-xgj6-7frp","title":"WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF","link":"https:\/\/github.com\/advisories\/GHSA-793q-xgj6-7frp","cve":"CVE-2026-41055","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:15:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-793q-xgj6-7frp"}]},{"advisoryId":"PKSA-5c4b-gnfd-8xsq","packageName":"wwbn\/avideo","remoteId":"GHSA-ccq9-r5cw-5hwq","title":"WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-ccq9-r5cw-5hwq","cve":"CVE-2026-41056","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ccq9-r5cw-5hwq"}]},{"advisoryId":"PKSA-tsyg-vszv-9tkz","packageName":"wwbn\/avideo","remoteId":"GHSA-ff5q-cc22-fgp4","title":"WWBN AVideo has a CORS Origin Reflection Bypass via plugin\/API\/router.php and allowOrigin(true) Exposes Authenticated API Responses","link":"https:\/\/github.com\/advisories\/GHSA-ff5q-cc22-fgp4","cve":"CVE-2026-41057","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ff5q-cc22-fgp4"}]},{"advisoryId":"PKSA-zr2c-vrf1-x6qy","packageName":"wwbn\/avideo","remoteId":"GHSA-gph2-j4c9-vhhr","title":"WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks","link":"https:\/\/github.com\/advisories\/GHSA-gph2-j4c9-vhhr","cve":"CVE-2026-40911","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:50:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gph2-j4c9-vhhr"}]},{"advisoryId":"PKSA-2sy8-4q8b-cn2c","packageName":"wwbn\/avideo","remoteId":"GHSA-gpgp-w4x2-h3h7","title":"WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users\u0027 Stream Keys and OAuth Tokens","link":"https:\/\/github.com\/advisories\/GHSA-gpgp-w4x2-h3h7","cve":"CVE-2026-40907","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gpgp-w4x2-h3h7"}]},{"advisoryId":"PKSA-yc9y-ydj1-h48d","packageName":"wwbn\/avideo","remoteId":"GHSA-52hf-63q4-r926","title":"WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version","link":"https:\/\/github.com\/advisories\/GHSA-52hf-63q4-r926","cve":"CVE-2026-40908","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:25","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-52hf-63q4-r926"}]},{"advisoryId":"PKSA-mbzn-myxk-vdz9","packageName":"wwbn\/avideo","remoteId":"GHSA-6rc6-p838-686f","title":"WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-6rc6-p838-686f","cve":"CVE-2026-40909","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6rc6-p838-686f"}]},{"advisoryId":"PKSA-1msk-y5kh-hb4p","packageName":"wwbn\/avideo","remoteId":"GHSA-v467-g7g7-hhfh","title":"AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation","link":"https:\/\/github.com\/advisories\/GHSA-v467-g7g7-hhfh","cve":"CVE-2026-33237","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-v467-g7g7-hhfh"}]},{"advisoryId":"PKSA-484r-cdwt-2gm4","packageName":"wwbn\/avideo","remoteId":"GHSA-4wmm-6qxj-fpj4","title":"AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration","link":"https:\/\/github.com\/advisories\/GHSA-4wmm-6qxj-fpj4","cve":"CVE-2026-33238","affectedVersions":"\u003C=25.0","source":"GitHub","reportedAt":"2026-03-19 12:43:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4wmm-6qxj-fpj4"}]}],"getgrav\/grav-plugin-api":[{"advisoryId":"PKSA-pxqc-bymp-4wtn","packageName":"getgrav\/grav-plugin-api","remoteId":"GHSA-r945-h4vm-h736","title":"Grav API Privilege Escalation to Super Admin","link":"https:\/\/github.com\/advisories\/GHSA-r945-h4vm-h736","cve":"CVE-2026-42843","affectedVersions":"\u003C1.0.0-beta.15","source":"GitHub","reportedAt":"2026-05-05 21:20:03","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r945-h4vm-h736"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-smrh-yx37-92ws","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-3qpq-r242-jqj7","title":"phpseclib has a CVE-2024-27355 mitigation bypass \u2014 OID amplification DoS in ASN1::decodeOID()","link":"https:\/\/github.com\/advisories\/GHSA-3qpq-r242-jqj7","cve":"CVE-2026-44167","affectedVersions":"\u003E=0.1.1,\u003C=1.0.28|\u003E=3.0.0,\u003C=3.0.51|\u003E=2.0.0,\u003C=2.0.53","source":"GitHub","reportedAt":"2026-05-05 21:17:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3qpq-r242-jqj7"}]},{"advisoryId":"PKSA-zh4j-by9m-7mz8","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-r854-jrxh-36qx","title":"phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()","link":"https:\/\/github.com\/advisories\/GHSA-r854-jrxh-36qx","cve":"CVE-2026-40194","affectedVersions":"\u003E=0.1.1,\u003C1.0.28|\u003E=3.0.0,\u003C3.0.51|\u003E=2.0.0,\u003C2.0.53","source":"GitHub","reportedAt":"2026-04-10 20:58:10","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-r854-jrxh-36qx"}]},{"advisoryId":"PKSA-km2b-zc3b-mjm3","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-94g3-g5v7-q4jg","title":"phpseclib\u0027s AES-CBC unpadding susceptible to padding oracle timing attack","link":"https:\/\/github.com\/advisories\/GHSA-94g3-g5v7-q4jg","cve":"CVE-2026-32935","affectedVersions":"\u003E=0.1.1,\u003C=1.0.26|\u003E=2.0.0,\u003C=2.0.51|\u003E=3.0.0,\u003C=3.0.49","source":"GitHub","reportedAt":"2026-03-19 16:42:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-94g3-g5v7-q4jg"}]}],"showdoc\/showdoc":[{"advisoryId":"PKSA-r6d8-qs1d-pj19","packageName":"showdoc\/showdoc","remoteId":"GHSA-fm5r-cj7v-rj2c","title":"ShowDoc has an Injection vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-fm5r-cj7v-rj2c","cve":"CVE-2026-6982","affectedVersions":"\u003C3.8.1","source":"GitHub","reportedAt":"2026-04-25 15:33:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fm5r-cj7v-rj2c"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-k2cf-4hh1-rf1y","packageName":"admidio\/admidio","remoteId":"GHSA-hcjj-chvw-fmw9","title":"Admidio has an incomplete fix for CVE-2026-32812 (SSRF)","link":"https:\/\/github.com\/advisories\/GHSA-hcjj-chvw-fmw9","cve":"CVE-2026-42194","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-05-05 20:03:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hcjj-chvw-fmw9"}]},{"advisoryId":"PKSA-n418-ymkg-hg9x","packageName":"admidio\/admidio","remoteId":"GHSA-gq27-fc8w-vcmp","title":"Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion","link":"https:\/\/github.com\/advisories\/GHSA-gq27-fc8w-vcmp","cve":"CVE-2026-41661","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:51:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq27-fc8w-vcmp"}]},{"advisoryId":"PKSA-c3x4-7b97-m7w3","packageName":"admidio\/admidio","remoteId":"GHSA-c7xm-r6vj-8vg6","title":"Admidio Missing Minimum Administrator Check in Role Membership Removal","link":"https:\/\/github.com\/advisories\/GHSA-c7xm-r6vj-8vg6","cve":"CVE-2026-41662","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:53:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c7xm-r6vj-8vg6"}]},{"advisoryId":"PKSA-j859-828r-5ckz","packageName":"admidio\/admidio","remoteId":"GHSA-rw74-vc9h-534j","title":"Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send","link":"https:\/\/github.com\/advisories\/GHSA-rw74-vc9h-534j","cve":"CVE-2026-41663","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:54:30","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rw74-vc9h-534j"}]},{"advisoryId":"PKSA-mwvm-8f5c-nh8q","packageName":"admidio\/admidio","remoteId":"GHSA-25cw-98hg-g3cg","title":"Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests","link":"https:\/\/github.com\/advisories\/GHSA-25cw-98hg-g3cg","cve":"CVE-2026-41669","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:56:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-25cw-98hg-g3cg"}]},{"advisoryId":"PKSA-k4tr-44q9-mfgg","packageName":"admidio\/admidio","remoteId":"GHSA-p9w9-87c8-m235","title":"Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest","link":"https:\/\/github.com\/advisories\/GHSA-p9w9-87c8-m235","cve":"CVE-2026-41670","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:57:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p9w9-87c8-m235"}]},{"advisoryId":"PKSA-n1pt-kptp-xq6q","packageName":"admidio\/admidio","remoteId":"GHSA-9xx5-cv6j-x533","title":"Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation","link":"https:\/\/github.com\/advisories\/GHSA-9xx5-cv6j-x533","cve":"CVE-2026-41671","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:58:56","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9xx5-cv6j-x533"}]},{"advisoryId":"PKSA-dmht-7tmz-kr72","packageName":"admidio\/admidio","remoteId":"GHSA-m9h6-8pqm-xrhf","title":"Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read","link":"https:\/\/github.com\/advisories\/GHSA-m9h6-8pqm-xrhf","cve":"CVE-2026-41656","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:42:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m9h6-8pqm-xrhf"}]},{"advisoryId":"PKSA-9g4b-9vzm-tggf","packageName":"admidio\/admidio","remoteId":"GHSA-g8p8-94f2-28gr","title":"Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php","link":"https:\/\/github.com\/advisories\/GHSA-g8p8-94f2-28gr","cve":"CVE-2026-41657","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:44:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g8p8-94f2-28gr"}]},{"advisoryId":"PKSA-rj3x-dwht-5vgg","packageName":"admidio\/admidio","remoteId":"GHSA-xqv4-xm7h-52cv","title":"Admidio\u0027s Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items","link":"https:\/\/github.com\/advisories\/GHSA-xqv4-xm7h-52cv","cve":"CVE-2026-41658","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:46:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xqv4-xm7h-52cv"}]},{"advisoryId":"PKSA-f5x6-www4-q362","packageName":"admidio\/admidio","remoteId":"GHSA-68pr-7prh-mpv4","title":"Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment","link":"https:\/\/github.com\/advisories\/GHSA-68pr-7prh-mpv4","cve":"CVE-2026-41659","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:47:29","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-68pr-7prh-mpv4"}]},{"advisoryId":"PKSA-z1nh-b6vq-4kjj","packageName":"admidio\/admidio","remoteId":"GHSA-rh3w-4ccx-prf9","title":"Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP","link":"https:\/\/github.com\/advisories\/GHSA-rh3w-4ccx-prf9","cve":"CVE-2026-41660","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:49:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rh3w-4ccx-prf9"}]},{"advisoryId":"PKSA-cp5f-g188-kj61","packageName":"admidio\/admidio","remoteId":"GHSA-m3vp-3jjm-gpmx","title":"Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials","link":"https:\/\/github.com\/advisories\/GHSA-m3vp-3jjm-gpmx","cve":"CVE-2026-41655","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:37:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m3vp-3jjm-gpmx"}]}],"webonyx\/graphql-php":[{"advisoryId":"PKSA-xwpn-zs9j-6wy5","packageName":"webonyx\/graphql-php","remoteId":"GHSA-r7cg-qjjm-xhqq","title":"webonyx\/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input","link":"https:\/\/github.com\/advisories\/GHSA-r7cg-qjjm-xhqq","cve":null,"affectedVersions":"\u003C=15.32.2","source":"GitHub","reportedAt":"2026-05-05 17:24:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r7cg-qjjm-xhqq"}]},{"advisoryId":"PKSA-sf9j-1gs7-xzvx","packageName":"webonyx\/graphql-php","remoteId":"GHSA-fc86-6rv6-2jpm","title":"webonyx\/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments","link":"https:\/\/github.com\/advisories\/GHSA-fc86-6rv6-2jpm","cve":null,"affectedVersions":"\u003C15.32.2","source":"GitHub","reportedAt":"2026-05-04 22:22:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fc86-6rv6-2jpm"}]},{"advisoryId":"PKSA-7h5p-prw9-w5nr","packageName":"webonyx\/graphql-php","remoteId":"GHSA-68jq-c3rv-pcrr","title":"graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation","link":"https:\/\/github.com\/advisories\/GHSA-68jq-c3rv-pcrr","cve":"CVE-2026-40476","affectedVersions":"\u003C=15.31.4","source":"GitHub","reportedAt":"2026-04-14 01:05:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-68jq-c3rv-pcrr"}]}],"mckenziearts\/livewire-markdown-editor":[{"advisoryId":"PKSA-nr7m-pf27-n9rt","packageName":"mckenziearts\/livewire-markdown-editor","remoteId":"GHSA-gxxh-8vcj-w2mh","title":"livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler","link":"https:\/\/github.com\/advisories\/GHSA-gxxh-8vcj-w2mh","cve":null,"affectedVersions":"\u003C1.3","source":"GitHub","reportedAt":"2026-05-04 22:11:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gxxh-8vcj-w2mh"}]}],"nabeel\/phpvms":[{"advisoryId":"PKSA-21zk-g67c-5537","packageName":"nabeel\/phpvms","remoteId":"GHSA-fv26-4939-62fh","title":"phpVMS has an \/importer authorization bypass causing full database wipe","link":"https:\/\/github.com\/advisories\/GHSA-fv26-4939-62fh","cve":"CVE-2026-42569","affectedVersions":"\u003C7.0.6","source":"GitHub","reportedAt":"2026-05-04 21:20:40","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fv26-4939-62fh"}]}],"azuracast\/azuracast":[{"advisoryId":"PKSA-nx6v-99r9-ndh5","packageName":"azuracast\/azuracast","remoteId":"GHSA-vp2f-cqqp-478j","title":"AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload","link":"https:\/\/github.com\/advisories\/GHSA-vp2f-cqqp-478j","cve":"CVE-2026-42605","affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:16:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vp2f-cqqp-478j"}]},{"advisoryId":"PKSA-8467-6xvh-v57b","packageName":"azuracast\/azuracast","remoteId":"GHSA-gv7r-3mr9-h5x8","title":"AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv7r-3mr9-h5x8","cve":"CVE-2026-42606","affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:17:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gv7r-3mr9-h5x8"}]},{"advisoryId":"PKSA-x7rb-qk7x-brrk","packageName":"azuracast\/azuracast","remoteId":"GHSA-4fm3-ggg2-c6qx","title":"AzuraCast\u0027s Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption","link":"https:\/\/github.com\/advisories\/GHSA-4fm3-ggg2-c6qx","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:18:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4fm3-ggg2-c6qx"}]},{"advisoryId":"PKSA-6p4x-2pyn-gcq9","packageName":"azuracast\/azuracast","remoteId":"GHSA-qff7-q5fm-8p76","title":"AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration","link":"https:\/\/github.com\/advisories\/GHSA-qff7-q5fm-8p76","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:19:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qff7-q5fm-8p76"}]},{"advisoryId":"PKSA-wgbn-7zcq-1tdt","packageName":"azuracast\/azuracast","remoteId":"GHSA-q4ph-8x8g-95f8","title":"AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field","link":"https:\/\/github.com\/advisories\/GHSA-q4ph-8x8g-95f8","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:19:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q4ph-8x8g-95f8"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-kq1j-n47j-c2p7","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vgrf-pr28-vf98","title":"CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess","link":"https:\/\/github.com\/advisories\/GHSA-vgrf-pr28-vf98","cve":"CVE-2026-41890","affectedVersions":"\u003E=0.31.1.0,\u003C=0.31.7.0","source":"GitHub","reportedAt":"2026-05-04 20:50:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vgrf-pr28-vf98"}]},{"advisoryId":"PKSA-cf98-gsv6-bv96","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-5hfv-c864-qcq9","title":"CI4MS has a Deactivated User Session Bypass (active=0)","link":"https:\/\/github.com\/advisories\/GHSA-5hfv-c864-qcq9","cve":"CVE-2026-41891","affectedVersions":"\u003E=0.26.0,\u003C=0.31.7.0","source":"GitHub","reportedAt":"2026-05-04 20:50:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hfv-c864-qcq9"}]},{"advisoryId":"PKSA-gg2g-kjmj-cghy","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fw49-9xq4-gmx6","title":"CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-fw49-9xq4-gmx6","cve":"CVE-2026-41587","affectedVersions":"\u003E=0.26.0.0,\u003C=0.31.6.0","source":"GitHub","reportedAt":"2026-04-29 20:42:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fw49-9xq4-gmx6"}]},{"advisoryId":"PKSA-219p-5b8k-2v2r","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-qxpq-82f3-xj47","title":"CI4MS: Backup Management Full Account Takeover for All Roles \u0026 Privilege Escalation via Stored DOM Blind XSS","link":"https:\/\/github.com\/advisories\/GHSA-qxpq-82f3-xj47","cve":"CVE-2026-41201","affectedVersions":"\u003C0.31.5.0","source":"GitHub","reportedAt":"2026-04-22 17:27:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qxpq-82f3-xj47"}]},{"advisoryId":"PKSA-2xsc-43zp-v4cr","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-xp9f-pvvc-57p4","title":"CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE","link":"https:\/\/github.com\/advisories\/GHSA-xp9f-pvvc-57p4","cve":"CVE-2026-41202","affectedVersions":"\u003C0.31.5.0","source":"GitHub","reportedAt":"2026-04-22 17:28:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xp9f-pvvc-57p4"}]},{"advisoryId":"PKSA-tyjg-jzs3-mzjt","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-xv3r-vr59-95rg","title":"CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE","link":"https:\/\/github.com\/advisories\/GHSA-xv3r-vr59-95rg","cve":"CVE-2026-41203","affectedVersions":"\u003C0.31.5.0","source":"GitHub","reportedAt":"2026-04-22 17:29:58","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-xv3r-vr59-95rg"}]},{"advisoryId":"PKSA-76s3-z1f6-2f6c","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gcfj-cf7j-vwgj","title":"CI4MS: System Settings (Social Media Management) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-gcfj-cf7j-vwgj","cve":"CVE-2026-34561","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:02:34","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gcfj-cf7j-vwgj"}]},{"advisoryId":"PKSA-3cpq-nyc1-zgst","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-66m2-v9v9-95c3","title":"ci4-cms-erp\/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-66m2-v9v9-95c3","cve":"CVE-2026-27599","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-03-30 16:19:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-66m2-v9v9-95c3"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-wrgq-xy3s-q6nz","packageName":"getkirby\/cms","remoteId":"GHSA-2h7v-4372-f6x2","title":"Kirby CMS\u0027s read access to site, user and role information is not gated by permissions","link":"https:\/\/github.com\/advisories\/GHSA-2h7v-4372-f6x2","cve":"CVE-2026-42069","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:50:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2h7v-4372-f6x2"}]},{"advisoryId":"PKSA-p78d-845h-8y84","packageName":"getkirby\/cms","remoteId":"GHSA-39cp-6679-8xv2","title":"Kirby CMS doesn\u0027t gate user avatar creation, replacement and deletion with user update permissions","link":"https:\/\/github.com\/advisories\/GHSA-39cp-6679-8xv2","cve":"CVE-2026-42174","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:58:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-39cp-6679-8xv2"}]},{"advisoryId":"PKSA-d1w9-s6x2-nh6p","packageName":"getkirby\/cms","remoteId":"GHSA-x68m-c7jf-2572","title":"Kirby CMS\u0027s system API endpoint leaks installed version and license data to authenticated users","link":"https:\/\/github.com\/advisories\/GHSA-x68m-c7jf-2572","cve":"CVE-2026-42051","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:59:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x68m-c7jf-2572"}]},{"advisoryId":"PKSA-bpcj-ysn7-my14","packageName":"getkirby\/cms","remoteId":"GHSA-85x2-r8xv-ww8c","title":"Kirby CMS\u0027s `pages.access\/list` and `files.access\/list` permissions are not consistently checked in the Panel and REST API","link":"https:\/\/github.com\/advisories\/GHSA-85x2-r8xv-ww8c","cve":"CVE-2026-42137","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-04-30 21:03:20","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-85x2-r8xv-ww8c"}]},{"advisoryId":"PKSA-m1sp-3j4c-yg88","packageName":"getkirby\/cms","remoteId":"GHSA-6gqr-mx34-wh8r","title":"Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection","link":"https:\/\/github.com\/advisories\/GHSA-6gqr-mx34-wh8r","cve":"CVE-2026-41325","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-24 20:39:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6gqr-mx34-wh8r"}]},{"advisoryId":"PKSA-rr97-2byk-h46m","packageName":"getkirby\/cms","remoteId":"GHSA-9wfj-c55w-j9qr","title":"Kirby has XML injection in its XML creator toolkit","link":"https:\/\/github.com\/advisories\/GHSA-9wfj-c55w-j9qr","cve":"CVE-2026-32870","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:21:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9wfj-c55w-j9qr"}]},{"advisoryId":"PKSA-w67s-1md9-r7dk","packageName":"getkirby\/cms","remoteId":"GHSA-jcjw-58rv-c452","title":"Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering","link":"https:\/\/github.com\/advisories\/GHSA-jcjw-58rv-c452","cve":"CVE-2026-34587","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:24:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jcjw-58rv-c452"}]},{"advisoryId":"PKSA-pyk9-2q1t-drry","packageName":"getkirby\/cms","remoteId":"GHSA-w942-j9r6-hr6r","title":"Kirby\u0027s page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter","link":"https:\/\/github.com\/advisories\/GHSA-w942-j9r6-hr6r","cve":"CVE-2026-40099","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:24:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w942-j9r6-hr6r"}]}],"prestashop\/ps_checkout":[{"advisoryId":"PKSA-vdq5-bx4j-ybb1","packageName":"prestashop\/ps_checkout","remoteId":"GHSA-mqq7-wxx5-mp8h","title":"ps_checkout allows unauthorized method invocation through unvalidated parameter","link":"https:\/\/github.com\/advisories\/GHSA-mqq7-wxx5-mp8h","cve":null,"affectedVersions":"\u003C5.3.0","source":"GitHub","reportedAt":"2026-04-30 20:59:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mqq7-wxx5-mp8h"}]}],"ipl\/web":[{"advisoryId":"PKSA-k319-99m7-bjxd","packageName":"ipl\/web","remoteId":"GHSA-55wf-5m3q-6jjf","title":"ipl\/web is vulnerable to reflected XSS by malformed search requests","link":"https:\/\/github.com\/advisories\/GHSA-55wf-5m3q-6jjf","cve":"CVE-2026-42224","affectedVersions":"\u003C=0.13.0","source":"GitHub","reportedAt":"2026-04-29 21:01:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55wf-5m3q-6jjf"}]}],"phpoffice\/phpspreadsheet":[{"advisoryId":"PKSA-8cfg-tzhf-fr83","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-q4q6-r8wh-5cgh","title":"PhpSpreadsheet has SSRF\/RCE in IOFactory::load when $filename is user controlled","link":"https:\/\/github.com\/advisories\/GHSA-q4q6-r8wh-5cgh","cve":"CVE-2026-34084","affectedVersions":"\u003C=1.30.2|\u003E=2.0.0,\u003C=2.1.14|\u003E=2.2.0,\u003C=2.4.3|\u003E=3.3.0,\u003C=3.10.3|\u003E=4.0.0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-29 20:22:30","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-q4q6-r8wh-5cgh"}]},{"advisoryId":"PKSA-x13r-n4wc-4gcr","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-84wq-86v6-x5j6","title":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader","link":"https:\/\/github.com\/advisories\/GHSA-84wq-86v6-x5j6","cve":"CVE-2026-40863","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-29 20:23:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-84wq-86v6-x5j6"}]},{"advisoryId":"PKSA-gz3f-3cz3-3wsw","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-7c6m-4442-2x6m","title":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions","link":"https:\/\/github.com\/advisories\/GHSA-7c6m-4442-2x6m","cve":"CVE-2026-40902","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-29 20:24:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7c6m-4442-2x6m"}]},{"advisoryId":"PKSA-jtdk-dcr5-f11n","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-6wpp-88cp-7q68","title":"PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer","link":"https:\/\/github.com\/advisories\/GHSA-6wpp-88cp-7q68","cve":"CVE-2026-35453","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-28 22:50:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6wpp-88cp-7q68"}]},{"advisoryId":"PKSA-hznc-gbby-6w16","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-hrmw-qprp-wgmc","title":"PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer","link":"https:\/\/github.com\/advisories\/GHSA-hrmw-qprp-wgmc","cve":"CVE-2026-40296","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-28 22:57:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hrmw-qprp-wgmc"}]}],"roadiz\/openid":[{"advisoryId":"PKSA-h9v7-gkkk-sf31","packageName":"roadiz\/openid","remoteId":"GHSA-3gx8-q682-38mx","title":"OpenID Connect nonce generated but never validated \u2014 ID token replay attack","link":"https:\/\/github.com\/advisories\/GHSA-3gx8-q682-38mx","cve":"CVE-2026-42206","affectedVersions":"\u003C2.3.43|\u003E=2.5.0,\u003C2.5.45|\u003E=2.6.0,\u003C2.6.31|\u003E=2.7.0,\u003C2.7.18","source":"GitHub","reportedAt":"2026-04-29 20:51:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3gx8-q682-38mx"}]}],"almirhodzic\/nova-toggle-5":[{"advisoryId":"PKSA-bty3-jphf-3n5y","packageName":"almirhodzic\/nova-toggle-5","remoteId":"GHSA-f5c8-m5vw-rmgq","title":"nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields","link":"https:\/\/github.com\/advisories\/GHSA-f5c8-m5vw-rmgq","cve":"CVE-2026-42202","affectedVersions":"\u003C1.3.0","source":"GitHub","reportedAt":"2026-04-24 16:00:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5c8-m5vw-rmgq"}]}],"typo3\/cms-backend":[{"advisoryId":"PKSA-j4dd-3nrn-j8w4","packageName":"typo3\/cms-backend","remoteId":"GHSA-xvv6-p4wf-mvx7","title":"TYPO3 CMS Stores Cleartext Password in User Settings Module","link":"https:\/\/github.com\/advisories\/GHSA-xvv6-p4wf-mvx7","cve":"CVE-2026-6553","affectedVersions":"=14.2.0","source":"GitHub","reportedAt":"2026-04-24 16:39:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvv6-p4wf-mvx7"}]}],"flarum\/core":[{"advisoryId":"PKSA-4s1v-jz1f-4jpx","packageName":"flarum\/core","remoteId":"GHSA-xjvc-pw2r-6878","title":"Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)","link":"https:\/\/github.com\/advisories\/GHSA-xjvc-pw2r-6878","cve":"CVE-2026-41887","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.0.0-beta.8|\u003C=1.8.15","source":"GitHub","reportedAt":"2026-04-22 20:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xjvc-pw2r-6878"}]}],"phpunit\/phpunit":[{"advisoryId":"PKSA-qccq-2pht-gg3w","packageName":"phpunit\/phpunit","remoteId":"GHSA-mh6w-vxff-9wqp","title":"PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes","link":"https:\/\/github.com\/advisories\/GHSA-mh6w-vxff-9wqp","cve":null,"affectedVersions":"\u003E=13.1.5,\u003C13.1.6|\u003E=12.5.21,\u003C12.5.22","source":"GitHub","reportedAt":"2026-04-22 14:56:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-mh6w-vxff-9wqp"}]},{"advisoryId":"PKSA-5jz8-6tcw-pbk4","packageName":"phpunit\/phpunit","remoteId":"phpunit\/phpunit\/CVE-2026-41570.yaml","title":"Argument injection via newline in PHP INI values forwarded to child processes","link":"https:\/\/github.com\/sebastianbergmann\/phpunit\/security\/advisories\/GHSA-qrr6-mg7r-m243","cve":"CVE-2026-41570","affectedVersions":"\u003E=12.5.21,\u003C12.5.22|\u003E=13.1.5,\u003C13.1.6","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-17 12:52:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qrr6-mg7r-m243"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"phpunit\/phpunit\/CVE-2026-41570.yaml"}]},{"advisoryId":"PKSA-z3gr-8qht-p93v","packageName":"phpunit\/phpunit","remoteId":"phpunit\/phpunit\/CVE-2026-24765.yaml","title":"Unsafe Deserialization in PHPT Code Coverage Handling","link":"https:\/\/github.com\/sebastianbergmann\/phpunit\/security\/advisories\/GHSA-vvj3-c3rp-c85p","cve":"CVE-2026-24765","affectedVersions":"\u003E=0,\u003C8.5.52|\u003E=9.0.0,\u003C9.6.33|\u003E=10.0.0,\u003C10.5.62|\u003E=11.0.0,\u003C11.5.50|\u003E=12.0.0,\u003C12.5.8","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-01-27 05:21:14","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vvj3-c3rp-c85p"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"phpunit\/phpunit\/CVE-2026-24765.yaml"}]}],"october\/system":[{"advisoryId":"PKSA-drxd-zbt8-s1kh","packageName":"october\/system","remoteId":"GHSA-jj38-h5w5-mvpf","title":"October CMS: Reflected XSS via DataTable Form Widget","link":"https:\/\/github.com\/advisories\/GHSA-jj38-h5w5-mvpf","cve":"CVE-2026-27937","affectedVersions":"\u003E=4.0.0,\u003C4.1.16|\u003C3.7.16","source":"GitHub","reportedAt":"2026-04-21 17:15:21","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jj38-h5w5-mvpf"}]},{"advisoryId":"PKSA-h2tj-db1h-m5mf","packageName":"october\/system","remoteId":"GHSA-jvwg-phxx-j3rp","title":"October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations","link":"https:\/\/github.com\/advisories\/GHSA-jvwg-phxx-j3rp","cve":"CVE-2026-29179","affectedVersions":"\u003C3.7.16|\u003E=4.0.0,\u003C4.1.16","source":"GitHub","reportedAt":"2026-04-21 17:15:38","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jvwg-phxx-j3rp"}]},{"advisoryId":"PKSA-4k1j-qzgm-rvr3","packageName":"october\/system","remoteId":"GHSA-3888-q23f-x7qh","title":"October CMS has Safe Mode Bypass via CSS Preprocessor Compilers","link":"https:\/\/github.com\/advisories\/GHSA-3888-q23f-x7qh","cve":"CVE-2026-26067","affectedVersions":"\u003E=4.0.0,\u003C4.1.10|\u003C3.7.14","source":"GitHub","reportedAt":"2026-04-21 16:43:49","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3888-q23f-x7qh"}]},{"advisoryId":"PKSA-44b4-zdw9-q1j5","packageName":"october\/system","remoteId":"GHSA-6qmh-j78v-ffp7","title":"October CMS has Stored XSS in Backend Editor Markup Classes","link":"https:\/\/github.com\/advisories\/GHSA-6qmh-j78v-ffp7","cve":"CVE-2026-24906","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6qmh-j78v-ffp7"}]},{"advisoryId":"PKSA-57nm-kh7g-ddrg","packageName":"october\/system","remoteId":"GHSA-j4j5-9x6g-rgxc","title":"October CMS has Stored XSS in Event Log Mail Preview","link":"https:\/\/github.com\/advisories\/GHSA-j4j5-9x6g-rgxc","cve":"CVE-2026-24907","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 20:02:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-j4j5-9x6g-rgxc"}]}],"october\/october":[{"advisoryId":"PKSA-yqc2-m5mr-13xt","packageName":"october\/october","remoteId":"GHSA-h6jm-f4hh-fw27","title":"October CMS has Safe Mode Bypass via Twig Database Write Operations","link":"https:\/\/github.com\/advisories\/GHSA-h6jm-f4hh-fw27","cve":"CVE-2026-26274","affectedVersions":"\u003E=4.0.0,\u003C4.1.10|\u003C3.7.14","source":"GitHub","reportedAt":"2026-04-21 16:44:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-h6jm-f4hh-fw27"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-n7s9-fhkk-29wv","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-f58v-p6j9-24c2","title":"YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()","link":"https:\/\/github.com\/advisories\/GHSA-f58v-p6j9-24c2","cve":"CVE-2026-41143","affectedVersions":"\u003C=4.6.0","source":"GitHub","reportedAt":"2026-04-18 01:00:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f58v-p6j9-24c2"}]}],"markhuot\/craftql":[{"advisoryId":"PKSA-nwgj-1fc9-zj7r","packageName":"markhuot\/craftql","remoteId":"GHSA-8wmw-prw8-2ggm","title":"Craftql vulnerable to Server-Side Request Forgery","link":"https:\/\/github.com\/advisories\/GHSA-8wmw-prw8-2ggm","cve":"CVE-2026-31317","affectedVersions":"\u003C=1.3.7","source":"GitHub","reportedAt":"2026-04-17 15:31:18","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8wmw-prw8-2ggm"}]}],"goodoneuz\/pay-uz":[{"advisoryId":"PKSA-hc2w-9ctz-542g","packageName":"goodoneuz\/pay-uz","remoteId":"GHSA-m5wg-cjgh-223j","title":"goodoneuz\/pay-uz: the \/payment\/api\/editable\/update endpoint overwrites existing PHP payment hook files","link":"https:\/\/github.com\/advisories\/GHSA-m5wg-cjgh-223j","cve":"CVE-2026-31843","affectedVersions":"\u003C=2.2.24","source":"GitHub","reportedAt":"2026-04-16 15:31:32","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-m5wg-cjgh-223j"}]}],"processwire\/processwire":[{"advisoryId":"PKSA-m19p-x1h4-xw57","packageName":"processwire\/processwire","remoteId":"GHSA-gmwr-9j4p-96vm","title":"ProcessWire: server-side request forgery vulnerability in the admin panel\u0027s \u0027Add Module From URL\u0027 feature","link":"https:\/\/github.com\/advisories\/GHSA-gmwr-9j4p-96vm","cve":"CVE-2026-40500","affectedVersions":"\u003C=3.0.255","source":"GitHub","reportedAt":"2026-04-16 00:54:04","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gmwr-9j4p-96vm"}]}],"joedolson\/my-calendar":[{"advisoryId":"PKSA-zws9-hgnd-t1ht","packageName":"joedolson\/my-calendar","remoteId":"GHSA-2mvx-f5qm-v2ch","title":"Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar","link":"https:\/\/github.com\/advisories\/GHSA-2mvx-f5qm-v2ch","cve":"CVE-2026-40308","affectedVersions":"\u003C3.7.7","source":"GitHub","reportedAt":"2026-04-16 21:34:40","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2mvx-f5qm-v2ch"}]}],"silverstripe\/assets":[{"advisoryId":"PKSA-tfnf-7k34-fpdv","packageName":"silverstripe\/assets","remoteId":"silverstripe\/assets\/CVE-2026-24749.yaml","title":"CVE-2026-24749 - DBFile permission bypass","link":"https:\/\/www.silverstripe.org\/download\/security-releases\/cve-2026-24749","cve":"CVE-2026-24749","affectedVersions":"\u003E=2.0.0,\u003C2.4.5|\u003E=3.0.0,\u003C3.1.3","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-16 02:30:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jgcf-rf45-2f8v"},{"name":"FriendsOfPHP\/security-advisories","remoteId":"silverstripe\/assets\/CVE-2026-24749.yaml"}]}],"khodakhah\/nodcms":[{"advisoryId":"PKSA-j2zd-bc4z-jzrm","packageName":"khodakhah\/nodcms","remoteId":"GHSA-3qcm-pj6q-w4c5","title":"Nodcms contains a cross-site request forgery vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-3qcm-pj6q-w4c5","cve":"CVE-2016-20054","affectedVersions":"\u003C=3.4.1","source":"GitHub","reportedAt":"2026-04-04 21:30:27","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3qcm-pj6q-w4c5"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-t427-p3m6-gf3c","packageName":"froxlor\/froxlor","remoteId":"GHSA-w59f-67xm-rxx7","title":"Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-w59f-67xm-rxx7","cve":"CVE-2026-41228","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 01:02:12","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w59f-67xm-rxx7"}]},{"advisoryId":"PKSA-ghdy-xf1y-wsyx","packageName":"froxlor\/froxlor","remoteId":"GHSA-jvx4-xv3m-hrj4","title":"Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()","link":"https:\/\/github.com\/advisories\/GHSA-jvx4-xv3m-hrj4","cve":"CVE-2026-41233","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:46:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jvx4-xv3m-hrj4"}]},{"advisoryId":"PKSA-mym1-2cj8-f6cp","packageName":"froxlor\/froxlor","remoteId":"GHSA-vmjj-qr7v-pxm6","title":"Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-vmjj-qr7v-pxm6","cve":"CVE-2026-41232","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vmjj-qr7v-pxm6"}]},{"advisoryId":"PKSA-jy2x-d5vf-ycwz","packageName":"froxlor\/froxlor","remoteId":"GHSA-75h4-c557-j89r","title":"Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron","link":"https:\/\/github.com\/advisories\/GHSA-75h4-c557-j89r","cve":"CVE-2026-41231","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-75h4-c557-j89r"}]},{"advisoryId":"PKSA-zvbr-5xtx-pwd7","packageName":"froxlor\/froxlor","remoteId":"GHSA-47hf-23pw-3m8c","title":"Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()","link":"https:\/\/github.com\/advisories\/GHSA-47hf-23pw-3m8c","cve":"CVE-2026-41230","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-47hf-23pw-3m8c"}]},{"advisoryId":"PKSA-s4pz-z4hm-5n7x","packageName":"froxlor\/froxlor","remoteId":"GHSA-gc9w-cc93-rjv8","title":"Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)","link":"https:\/\/github.com\/advisories\/GHSA-gc9w-cc93-rjv8","cve":"CVE-2026-41229","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:50:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gc9w-cc93-rjv8"}]}],"pocketmine\/pocketmine-mp":[{"advisoryId":"PKSA-tnfd-ykdn-862g","packageName":"pocketmine\/pocketmine-mp","remoteId":"GHSA-xp4f-g2cm-rhg7","title":"PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket","link":"https:\/\/github.com\/advisories\/GHSA-xp4f-g2cm-rhg7","cve":null,"affectedVersions":"\u003C5.42.1","source":"GitHub","reportedAt":"2026-04-15 19:43:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xp4f-g2cm-rhg7"}]}],"s9y\/serendipity":[{"advisoryId":"PKSA-vfgc-2rdq-w256","packageName":"s9y\/serendipity","remoteId":"GHSA-4m6c-649p-f6gf","title":"Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php","link":"https:\/\/github.com\/advisories\/GHSA-4m6c-649p-f6gf","cve":"CVE-2026-39963","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:29","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4m6c-649p-f6gf"}]},{"advisoryId":"PKSA-fdbd-416g-v2zm","packageName":"s9y\/serendipity","remoteId":"GHSA-458g-q4fh-mj6r","title":"Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header","link":"https:\/\/github.com\/advisories\/GHSA-458g-q4fh-mj6r","cve":"CVE-2026-39971","affectedVersions":"\u003C2.6.0","source":"GitHub","reportedAt":"2026-04-14 22:32:38","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-458g-q4fh-mj6r"}]}],"october\/rain":[{"advisoryId":"PKSA-qst9-2ky5-dhpn","packageName":"october\/rain","remoteId":"GHSA-g6v3-wv4j-x9hg","title":"October Rain has Environment Variable Exfiltration via INI Parser Interpolation","link":"https:\/\/github.com\/advisories\/GHSA-g6v3-wv4j-x9hg","cve":"CVE-2026-25125","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:41","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g6v3-wv4j-x9hg"}]},{"advisoryId":"PKSA-22sk-dxft-df3d","packageName":"october\/rain","remoteId":"GHSA-gcqv-f29m-67gr","title":"October Rain has Stored XSS via SVG Filter Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gcqv-f29m-67gr","cve":"CVE-2026-25133","affectedVersions":"\u003C=3.7.13|\u003E=4.0.0,\u003C=4.1.9","source":"GitHub","reportedAt":"2026-04-14 22:29:50","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gcqv-f29m-67gr"}]},{"advisoryId":"PKSA-7hg1-vmz2-j7w6","packageName":"october\/rain","remoteId":"GHSA-m5qg-jc75-4jp6","title":"October Rain has a Twig Sandbox Bypass via Collection Methods","link":"https:\/\/github.com\/advisories\/GHSA-m5qg-jc75-4jp6","cve":"CVE-2026-22692","affectedVersions":"\u003C=3.7.12|\u003E=4.0.0,\u003C=4.1.4","source":"GitHub","reportedAt":"2026-04-14 20:02:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m5qg-jc75-4jp6"}]}],"craftcms\/commerce":[{"advisoryId":"PKSA-tnb8-k5sw-yxmk","packageName":"craftcms\/commerce","remoteId":"GHSA-3vxg-x5f8-f5qf","title":"Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments","link":"https:\/\/github.com\/advisories\/GHSA-3vxg-x5f8-f5qf","cve":"CVE-2026-32270","affectedVersions":"\u003E=4.0.0,\u003C=4.10.2|\u003E=5.0.0,\u003C=5.5.4","source":"GitHub","reportedAt":"2026-04-14 01:01:17","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-3vxg-x5f8-f5qf"}]},{"advisoryId":"PKSA-nhg1-858f-sgm2","packageName":"craftcms\/commerce","remoteId":"GHSA-r54v-qq87-px5r","title":"Craft Commerce hasVariant\/hasProduct Blind SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-r54v-qq87-px5r","cve":"CVE-2026-32272","affectedVersions":"\u003E=5.0.0,\u003C5.6.0","source":"GitHub","reportedAt":"2026-04-14 00:06:56","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r54v-qq87-px5r"}]},{"advisoryId":"PKSA-chpm-5f12-rdnt","packageName":"craftcms\/commerce","remoteId":"GHSA-875v-7m49-8x88","title":"Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget","link":"https:\/\/github.com\/advisories\/GHSA-875v-7m49-8x88","cve":"CVE-2026-32271","affectedVersions":"\u003E=5.0.0,\u003C=5.5.4|\u003E=4.0.0,\u003C=4.10.2","source":"GitHub","reportedAt":"2026-04-14 00:07:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-875v-7m49-8x88"}]}],"rhukster\/dom-sanitizer":[{"advisoryId":"PKSA-x5pq-tgg3-vhtm","packageName":"rhukster\/dom-sanitizer","remoteId":"GHSA-93vf-569f-22cq","title":"rhukster\/dom-sanitizer: SVG \u003Cstyle\u003E tag allows CSS injection via unfiltered url() and @import directives","link":"https:\/\/github.com\/advisories\/GHSA-93vf-569f-22cq","cve":"CVE-2026-40301","affectedVersions":"\u003C1.0.10","source":"GitHub","reportedAt":"2026-04-10 21:08:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-93vf-569f-22cq"}]}],"laravel\/passport":[{"advisoryId":"PKSA-wc55-9qj2-7v4h","packageName":"laravel\/passport","remoteId":"GHSA-349c-2h2f-mxf6","title":"Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens","link":"https:\/\/github.com\/advisories\/GHSA-349c-2h2f-mxf6","cve":"CVE-2026-39976","affectedVersions":"\u003E=13.0.0,\u003C13.7.1","source":"GitHub","reportedAt":"2026-04-08 19:57:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-349c-2h2f-mxf6"}]}],"librenms\/librenms":[{"advisoryId":"PKSA-crbw-6n6w-1qmb","packageName":"librenms\/librenms","remoteId":"GHSA-pr3g-phhr-h8fh","title":"LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write","link":"https:\/\/github.com\/advisories\/GHSA-pr3g-phhr-h8fh","cve":"CVE-2026-6204","affectedVersions":"\u003E=1.48,\u003C26.3.0","source":"GitHub","reportedAt":"2026-03-26 18:04:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pr3g-phhr-h8fh"}]}],"google\/protobuf":[{"advisoryId":"PKSA-tcfz-w4fm-hhk9","packageName":"google\/protobuf","remoteId":"GHSA-p2gh-cfq4-4wjc","title":"Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion","link":"https:\/\/github.com\/advisories\/GHSA-p2gh-cfq4-4wjc","cve":"CVE-2026-6409","affectedVersions":"\u003C4.33.6","source":"GitHub","reportedAt":"2026-03-25 21:02:08","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p2gh-cfq4-4wjc"}]}],"components\/jquery":[{"advisoryId":"PKSA-jvpv-pcrn-dfzc","packageName":"components\/jquery","remoteId":"GHSA-gxr4-xjj5-5px2","title":"Potential XSS vulnerability in jQuery","link":"https:\/\/github.com\/advisories\/GHSA-gxr4-xjj5-5px2","cve":"CVE-2020-11022","affectedVersions":"\u003E=1.12.0,\u003C3.5.0","source":"GitHub","reportedAt":"2020-04-29 22:18:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gxr4-xjj5-5px2"}]}]}}