{"advisories":{"admidio\/admidio":[{"advisoryId":"PKSA-n418-ymkg-hg9x","packageName":"admidio\/admidio","remoteId":"GHSA-gq27-fc8w-vcmp","title":"Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion","link":"https:\/\/github.com\/advisories\/GHSA-gq27-fc8w-vcmp","cve":"CVE-2026-41661","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:51:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gq27-fc8w-vcmp"}]},{"advisoryId":"PKSA-c3x4-7b97-m7w3","packageName":"admidio\/admidio","remoteId":"GHSA-c7xm-r6vj-8vg6","title":"Admidio Missing Minimum Administrator Check in Role Membership Removal","link":"https:\/\/github.com\/advisories\/GHSA-c7xm-r6vj-8vg6","cve":"CVE-2026-41662","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:53:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c7xm-r6vj-8vg6"}]},{"advisoryId":"PKSA-j859-828r-5ckz","packageName":"admidio\/admidio","remoteId":"GHSA-rw74-vc9h-534j","title":"Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send","link":"https:\/\/github.com\/advisories\/GHSA-rw74-vc9h-534j","cve":"CVE-2026-41663","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:54:30","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-rw74-vc9h-534j"}]},{"advisoryId":"PKSA-mwvm-8f5c-nh8q","packageName":"admidio\/admidio","remoteId":"GHSA-25cw-98hg-g3cg","title":"Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests","link":"https:\/\/github.com\/advisories\/GHSA-25cw-98hg-g3cg","cve":"CVE-2026-41669","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:56:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-25cw-98hg-g3cg"}]},{"advisoryId":"PKSA-k4tr-44q9-mfgg","packageName":"admidio\/admidio","remoteId":"GHSA-p9w9-87c8-m235","title":"Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest","link":"https:\/\/github.com\/advisories\/GHSA-p9w9-87c8-m235","cve":"CVE-2026-41670","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:57:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-p9w9-87c8-m235"}]},{"advisoryId":"PKSA-n1pt-kptp-xq6q","packageName":"admidio\/admidio","remoteId":"GHSA-9xx5-cv6j-x533","title":"Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation","link":"https:\/\/github.com\/advisories\/GHSA-9xx5-cv6j-x533","cve":"CVE-2026-41671","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:58:56","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9xx5-cv6j-x533"}]},{"advisoryId":"PKSA-dmht-7tmz-kr72","packageName":"admidio\/admidio","remoteId":"GHSA-m9h6-8pqm-xrhf","title":"Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read","link":"https:\/\/github.com\/advisories\/GHSA-m9h6-8pqm-xrhf","cve":"CVE-2026-41656","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:42:20","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m9h6-8pqm-xrhf"}]},{"advisoryId":"PKSA-9g4b-9vzm-tggf","packageName":"admidio\/admidio","remoteId":"GHSA-g8p8-94f2-28gr","title":"Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php","link":"https:\/\/github.com\/advisories\/GHSA-g8p8-94f2-28gr","cve":"CVE-2026-41657","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:44:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g8p8-94f2-28gr"}]},{"advisoryId":"PKSA-rj3x-dwht-5vgg","packageName":"admidio\/admidio","remoteId":"GHSA-xqv4-xm7h-52cv","title":"Admidio\u0027s Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items","link":"https:\/\/github.com\/advisories\/GHSA-xqv4-xm7h-52cv","cve":"CVE-2026-41658","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:46:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xqv4-xm7h-52cv"}]},{"advisoryId":"PKSA-f5x6-www4-q362","packageName":"admidio\/admidio","remoteId":"GHSA-68pr-7prh-mpv4","title":"Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment","link":"https:\/\/github.com\/advisories\/GHSA-68pr-7prh-mpv4","cve":"CVE-2026-41659","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:47:29","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-68pr-7prh-mpv4"}]},{"advisoryId":"PKSA-z1nh-b6vq-4kjj","packageName":"admidio\/admidio","remoteId":"GHSA-rh3w-4ccx-prf9","title":"Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP","link":"https:\/\/github.com\/advisories\/GHSA-rh3w-4ccx-prf9","cve":"CVE-2026-41660","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:49:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rh3w-4ccx-prf9"}]},{"advisoryId":"PKSA-cp5f-g188-kj61","packageName":"admidio\/admidio","remoteId":"GHSA-m3vp-3jjm-gpmx","title":"Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials","link":"https:\/\/github.com\/advisories\/GHSA-m3vp-3jjm-gpmx","cve":"CVE-2026-41655","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-04-29 21:37:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m3vp-3jjm-gpmx"}]}],"ipl\/web":[{"advisoryId":"PKSA-k319-99m7-bjxd","packageName":"ipl\/web","remoteId":"GHSA-55wf-5m3q-6jjf","title":"ipl\/web is vulnerable to reflected XSS by malformed search requests","link":"https:\/\/github.com\/advisories\/GHSA-55wf-5m3q-6jjf","cve":"CVE-2026-42224","affectedVersions":"\u003C=0.13.0","source":"GitHub","reportedAt":"2026-04-29 21:01:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-55wf-5m3q-6jjf"}]}],"phpoffice\/phpspreadsheet":[{"advisoryId":"PKSA-8cfg-tzhf-fr83","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-q4q6-r8wh-5cgh","title":"PhpSpreadsheet has SSRF\/RCE in IOFactory::load when $filename is user controlled","link":"https:\/\/github.com\/advisories\/GHSA-q4q6-r8wh-5cgh","cve":"CVE-2026-34084","affectedVersions":"\u003C=1.30.2|\u003E=2.0.0,\u003C=2.1.14|\u003E=2.2.0,\u003C=2.4.3|\u003E=3.3.0,\u003C=3.10.3|\u003E=4.0.0,\u003C=5.5.0","source":"GitHub","reportedAt":"2026-04-29 20:22:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q4q6-r8wh-5cgh"}]},{"advisoryId":"PKSA-x13r-n4wc-4gcr","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-84wq-86v6-x5j6","title":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader","link":"https:\/\/github.com\/advisories\/GHSA-84wq-86v6-x5j6","cve":"CVE-2026-40863","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-29 20:23:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-84wq-86v6-x5j6"}]},{"advisoryId":"PKSA-gz3f-3cz3-3wsw","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-7c6m-4442-2x6m","title":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions","link":"https:\/\/github.com\/advisories\/GHSA-7c6m-4442-2x6m","cve":"CVE-2026-40902","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-29 20:24:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-7c6m-4442-2x6m"}]},{"advisoryId":"PKSA-jtdk-dcr5-f11n","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-6wpp-88cp-7q68","title":"PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer","link":"https:\/\/github.com\/advisories\/GHSA-6wpp-88cp-7q68","cve":"CVE-2026-35453","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-28 22:50:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6wpp-88cp-7q68"}]},{"advisoryId":"PKSA-hznc-gbby-6w16","packageName":"phpoffice\/phpspreadsheet","remoteId":"GHSA-hrmw-qprp-wgmc","title":"PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer","link":"https:\/\/github.com\/advisories\/GHSA-hrmw-qprp-wgmc","cve":"CVE-2026-40296","affectedVersions":"\u003C=1.30.3|\u003E=2.0.0,\u003C=2.1.15|\u003E=2.2.0,\u003C=2.4.4|\u003E=3.3.0,\u003C=3.10.4|\u003E=4.0.0,\u003C=5.6.0","source":"GitHub","reportedAt":"2026-04-28 22:57:13","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hrmw-qprp-wgmc"}]}],"dolibarr\/dolibarr":[{"advisoryId":"PKSA-pnx2-khzh-yv6p","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-j2g9-rprv-hrhc","title":"Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions","link":"https:\/\/github.com\/advisories\/GHSA-j2g9-rprv-hrhc","cve":"CVE-2026-31019","affectedVersions":"\u003C=22.0.4","source":"GitHub","reportedAt":"2026-04-21 15:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j2g9-rprv-hrhc"}]},{"advisoryId":"PKSA-ntds-z6nr-8hyf","packageName":"dolibarr\/dolibarr","remoteId":"GHSA-676v-wh57-p375","title":"Dolibarr Allows Code Injection through its Website Module","link":"https:\/\/github.com\/advisories\/GHSA-676v-wh57-p375","cve":"CVE-2026-31018","affectedVersions":"\u003C=15.0.3","source":"GitHub","reportedAt":"2026-04-21 15:32:22","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-676v-wh57-p375"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-gg2g-kjmj-cghy","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-fw49-9xq4-gmx6","title":"CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-fw49-9xq4-gmx6","cve":"CVE-2026-41587","affectedVersions":"\u003E=0.26.0.0,\u003C=0.31.6.0","source":"GitHub","reportedAt":"2026-04-29 20:42:44","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fw49-9xq4-gmx6"}]},{"advisoryId":"PKSA-76s3-z1f6-2f6c","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-gcfj-cf7j-vwgj","title":"CI4MS: System Settings (Social Media Management) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-gcfj-cf7j-vwgj","cve":"CVE-2026-34561","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-04-01 22:02:34","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gcfj-cf7j-vwgj"}]},{"advisoryId":"PKSA-3cpq-nyc1-zgst","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-66m2-v9v9-95c3","title":"ci4-cms-erp\/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS","link":"https:\/\/github.com\/advisories\/GHSA-66m2-v9v9-95c3","cve":"CVE-2026-27599","affectedVersions":"\u003C=0.28.6.0","source":"GitHub","reportedAt":"2026-03-30 16:19:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-66m2-v9v9-95c3"}]}],"roadiz\/openid":[{"advisoryId":"PKSA-h9v7-gkkk-sf31","packageName":"roadiz\/openid","remoteId":"GHSA-3gx8-q682-38mx","title":"OpenID Connect nonce generated but never validated \u2014 ID token replay attack","link":"https:\/\/github.com\/advisories\/GHSA-3gx8-q682-38mx","cve":"CVE-2026-42206","affectedVersions":"\u003C2.3.43|\u003E=2.5.0,\u003C2.5.45|\u003E=2.6.0,\u003C2.6.31|\u003E=2.7.0,\u003C2.7.18","source":"GitHub","reportedAt":"2026-04-29 20:51:40","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3gx8-q682-38mx"}]}],"facturascripts\/facturascripts":[{"advisoryId":"PKSA-8tbv-2p1s-9wnk","packageName":"facturascripts\/facturascripts","remoteId":"GHSA-pp79-hqv6-vmc3","title":"FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable \u0027nick\u0027 Field","link":"https:\/\/github.com\/advisories\/GHSA-pp79-hqv6-vmc3","cve":"CVE-2026-32699","affectedVersions":"\u003C=2024.92.x-dev","source":"GitHub","reportedAt":"2026-04-28 22:39:01","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pp79-hqv6-vmc3"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-m1sp-3j4c-yg88","packageName":"getkirby\/cms","remoteId":"GHSA-6gqr-mx34-wh8r","title":"Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection","link":"https:\/\/github.com\/advisories\/GHSA-6gqr-mx34-wh8r","cve":"CVE-2026-41325","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-24 20:39:36","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6gqr-mx34-wh8r"}]},{"advisoryId":"PKSA-rr97-2byk-h46m","packageName":"getkirby\/cms","remoteId":"GHSA-9wfj-c55w-j9qr","title":"Kirby has XML injection in its XML creator toolkit","link":"https:\/\/github.com\/advisories\/GHSA-9wfj-c55w-j9qr","cve":"CVE-2026-32870","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:21:17","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9wfj-c55w-j9qr"}]},{"advisoryId":"PKSA-w67s-1md9-r7dk","packageName":"getkirby\/cms","remoteId":"GHSA-jcjw-58rv-c452","title":"Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering","link":"https:\/\/github.com\/advisories\/GHSA-jcjw-58rv-c452","cve":"CVE-2026-34587","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:24:00","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-jcjw-58rv-c452"}]},{"advisoryId":"PKSA-pyk9-2q1t-drry","packageName":"getkirby\/cms","remoteId":"GHSA-w942-j9r6-hr6r","title":"Kirby\u0027s page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter","link":"https:\/\/github.com\/advisories\/GHSA-w942-j9r6-hr6r","cve":"CVE-2026-40099","affectedVersions":"\u003E=5.0.0,\u003C5.4.0|\u003C4.9.0","source":"GitHub","reportedAt":"2026-04-23 21:24:58","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-w942-j9r6-hr6r"}]}],"almirhodzic\/nova-toggle-5":[{"advisoryId":"PKSA-bty3-jphf-3n5y","packageName":"almirhodzic\/nova-toggle-5","remoteId":"GHSA-f5c8-m5vw-rmgq","title":"nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields","link":"https:\/\/github.com\/advisories\/GHSA-f5c8-m5vw-rmgq","cve":null,"affectedVersions":"\u003C1.3.0","source":"GitHub","reportedAt":"2026-04-24 16:00:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5c8-m5vw-rmgq"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-hb9p-xyj3-gfyj","packageName":"kimai\/kimai","remoteId":"GHSA-jv9x-w4gm-hwcm","title":"Kimai has Missing Object-Level Authorization in the Team API","link":"https:\/\/github.com\/advisories\/GHSA-jv9x-w4gm-hwcm","cve":"CVE-2026-41498","affectedVersions":"\u003C2.54.0","source":"GitHub","reportedAt":"2026-04-24 16:17:35","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-jv9x-w4gm-hwcm"}]}],"typo3\/cms-backend":[{"advisoryId":"PKSA-j4dd-3nrn-j8w4","packageName":"typo3\/cms-backend","remoteId":"GHSA-xvv6-p4wf-mvx7","title":"TYPO3 CMS Stores Cleartext Password in User Settings Module","link":"https:\/\/github.com\/advisories\/GHSA-xvv6-p4wf-mvx7","cve":"CVE-2026-6553","affectedVersions":"=14.2.0","source":"GitHub","reportedAt":"2026-04-24 16:39:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xvv6-p4wf-mvx7"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-qffw-6vr2-p3h9","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-5pv2-86qj-5jf9","title":"Cockpit has NoSQL Injection Through Content Aggregation Pipelines","link":"https:\/\/github.com\/advisories\/GHSA-5pv2-86qj-5jf9","cve":"CVE-2026-6626","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-20 12:32:01","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-5pv2-86qj-5jf9"}]}],"yeswiki\/yeswiki":[{"advisoryId":"PKSA-n7s9-fhkk-29wv","packageName":"yeswiki\/yeswiki","remoteId":"GHSA-f58v-p6j9-24c2","title":"YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()","link":"https:\/\/github.com\/advisories\/GHSA-f58v-p6j9-24c2","cve":"CVE-2026-41143","affectedVersions":"\u003C=4.6.0","source":"GitHub","reportedAt":"2026-04-18 01:00:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-f58v-p6j9-24c2"}]}],"studio-42\/elfinder":[{"advisoryId":"PKSA-2p87-h1j5-yb5n","packageName":"studio-42\/elfinder","remoteId":"GHSA-8q4h-8crm-5cvc","title":"elFinder: Command injection in resize background color parameter when using ImageMagick CLI","link":"https:\/\/github.com\/advisories\/GHSA-8q4h-8crm-5cvc","cve":"CVE-2026-41247","affectedVersions":"\u003C2.1.67","source":"GitHub","reportedAt":"2026-04-17 22:33:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-8q4h-8crm-5cvc"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-z3t4-4xbz-b3c9","packageName":"wwbn\/avideo","remoteId":"GHSA-xr6f-h4x7-r6qp","title":"WWBN AVideo: RCE cause by clonesite plugin","link":"https:\/\/github.com\/advisories\/GHSA-xr6f-h4x7-r6qp","cve":"CVE-2026-41304","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-16 21:25:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xr6f-h4x7-r6qp"}]},{"advisoryId":"PKSA-q934-7bnb-4bby","packageName":"wwbn\/avideo","remoteId":"GHSA-5879-4fmr-xwf2","title":"WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal","link":"https:\/\/github.com\/advisories\/GHSA-5879-4fmr-xwf2","cve":"CVE-2026-41058","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:21:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5879-4fmr-xwf2"}]},{"advisoryId":"PKSA-8cks-7g1w-tz19","packageName":"wwbn\/avideo","remoteId":"GHSA-j432-4w3j-3w8j","title":"WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL","link":"https:\/\/github.com\/advisories\/GHSA-j432-4w3j-3w8j","cve":"CVE-2026-41060","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j432-4w3j-3w8j"}]},{"advisoryId":"PKSA-gxyd-jpvf-3ngj","packageName":"wwbn\/avideo","remoteId":"GHSA-8pv3-29pp-pf8f","title":"WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver","link":"https:\/\/github.com\/advisories\/GHSA-8pv3-29pp-pf8f","cve":"CVE-2026-41061","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:22:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8pv3-29pp-pf8f"}]},{"advisoryId":"PKSA-pt2z-fxr4-fvmc","packageName":"wwbn\/avideo","remoteId":"GHSA-m63r-m9jh-3vc6","title":"WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters","link":"https:\/\/github.com\/advisories\/GHSA-m63r-m9jh-3vc6","cve":"CVE-2026-41062","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:23:14","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m63r-m9jh-3vc6"}]},{"advisoryId":"PKSA-gvmz-qdx4-njzh","packageName":"wwbn\/avideo","remoteId":"GHSA-m7r8-6q9j-m2hc","title":"WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS","link":"https:\/\/github.com\/advisories\/GHSA-m7r8-6q9j-m2hc","cve":"CVE-2026-41063","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:25:28","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m7r8-6q9j-m2hc"}]},{"advisoryId":"PKSA-v7bq-jd15-qdrz","packageName":"wwbn\/avideo","remoteId":"GHSA-pq8p-wc4f-vg7j","title":"WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection","link":"https:\/\/github.com\/advisories\/GHSA-pq8p-wc4f-vg7j","cve":"CVE-2026-41064","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:27:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pq8p-wc4f-vg7j"}]},{"advisoryId":"PKSA-nfcd-g6c3-5tff","packageName":"wwbn\/avideo","remoteId":"GHSA-vvfw-4m39-fjqf","title":"WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials","link":"https:\/\/github.com\/advisories\/GHSA-vvfw-4m39-fjqf","cve":"CVE-2026-40925","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:30","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vvfw-4m39-fjqf"}]},{"advisoryId":"PKSA-ttj4-18vr-tsp9","packageName":"wwbn\/avideo","remoteId":"GHSA-ffw8-fwxp-h64w","title":"WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)","link":"https:\/\/github.com\/advisories\/GHSA-ffw8-fwxp-h64w","cve":"CVE-2026-40926","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ffw8-fwxp-h64w"}]},{"advisoryId":"PKSA-k36z-m2m9-7f9w","packageName":"wwbn\/avideo","remoteId":"GHSA-x2pw-9c38-cp2j","title":"WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion","link":"https:\/\/github.com\/advisories\/GHSA-x2pw-9c38-cp2j","cve":"CVE-2026-40928","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:12:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x2pw-9c38-cp2j"}]},{"advisoryId":"PKSA-8nj2-vhcz-7bc5","packageName":"wwbn\/avideo","remoteId":"GHSA-8qm8-g55h-xmqr","title":"WWBN AVideo is missing CSRF protection in objects\/commentDelete.json.php enables mass comment deletion against moderators and content creators","link":"https:\/\/github.com\/advisories\/GHSA-8qm8-g55h-xmqr","cve":"CVE-2026-40929","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-8qm8-g55h-xmqr"}]},{"advisoryId":"PKSA-k6wt-ck7m-8514","packageName":"wwbn\/avideo","remoteId":"GHSA-hg7g-56h5-5pqr","title":"CAPTCHA Bypass in WWBN\/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure","link":"https:\/\/github.com\/advisories\/GHSA-hg7g-56h5-5pqr","cve":"CVE-2026-40935","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:13:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hg7g-56h5-5pqr"}]},{"advisoryId":"PKSA-zgmc-4215-ztzk","packageName":"wwbn\/avideo","remoteId":"GHSA-793q-xgj6-7frp","title":"WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF","link":"https:\/\/github.com\/advisories\/GHSA-793q-xgj6-7frp","cve":"CVE-2026-41055","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:15:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-793q-xgj6-7frp"}]},{"advisoryId":"PKSA-5c4b-gnfd-8xsq","packageName":"wwbn\/avideo","remoteId":"GHSA-ccq9-r5cw-5hwq","title":"WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-ccq9-r5cw-5hwq","cve":"CVE-2026-41056","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:19","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ccq9-r5cw-5hwq"}]},{"advisoryId":"PKSA-tsyg-vszv-9tkz","packageName":"wwbn\/avideo","remoteId":"GHSA-ff5q-cc22-fgp4","title":"WWBN AVideo has a CORS Origin Reflection Bypass via plugin\/API\/router.php and allowOrigin(true) Exposes Authenticated API Responses","link":"https:\/\/github.com\/advisories\/GHSA-ff5q-cc22-fgp4","cve":"CVE-2026-41057","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 23:18:28","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ff5q-cc22-fgp4"}]},{"advisoryId":"PKSA-zr2c-vrf1-x6qy","packageName":"wwbn\/avideo","remoteId":"GHSA-gph2-j4c9-vhhr","title":"WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks","link":"https:\/\/github.com\/advisories\/GHSA-gph2-j4c9-vhhr","cve":"CVE-2026-40911","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:50:05","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gph2-j4c9-vhhr"}]},{"advisoryId":"PKSA-2sy8-4q8b-cn2c","packageName":"wwbn\/avideo","remoteId":"GHSA-gpgp-w4x2-h3h7","title":"WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users\u0027 Stream Keys and OAuth Tokens","link":"https:\/\/github.com\/advisories\/GHSA-gpgp-w4x2-h3h7","cve":"CVE-2026-40907","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gpgp-w4x2-h3h7"}]},{"advisoryId":"PKSA-yc9y-ydj1-h48d","packageName":"wwbn\/avideo","remoteId":"GHSA-52hf-63q4-r926","title":"WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version","link":"https:\/\/github.com\/advisories\/GHSA-52hf-63q4-r926","cve":"CVE-2026-40908","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:25","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-52hf-63q4-r926"}]},{"advisoryId":"PKSA-mbzn-myxk-vdz9","packageName":"wwbn\/avideo","remoteId":"GHSA-6rc6-p838-686f","title":"WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)","link":"https:\/\/github.com\/advisories\/GHSA-6rc6-p838-686f","cve":"CVE-2026-40909","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-04-14 22:49:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6rc6-p838-686f"}]}],"statamic\/cms":[{"advisoryId":"PKSA-yx2m-bjk3-fnky","packageName":"statamic\/cms","remoteId":"GHSA-4jjr-vmv7-wh4w","title":"Statamic: Unsafe method invocation via query value resolution allows data destruction","link":"https:\/\/github.com\/advisories\/GHSA-4jjr-vmv7-wh4w","cve":"CVE-2026-41175","affectedVersions":"\u003E=6.0.0-alpha.1,\u003C6.13.0|\u003C5.73.20","source":"GitHub","reportedAt":"2026-04-16 21:25:35","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-4jjr-vmv7-wh4w"}]}],"froxlor\/froxlor":[{"advisoryId":"PKSA-t427-p3m6-gf3c","packageName":"froxlor\/froxlor","remoteId":"GHSA-w59f-67xm-rxx7","title":"Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution","link":"https:\/\/github.com\/advisories\/GHSA-w59f-67xm-rxx7","cve":"CVE-2026-41228","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 01:02:12","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w59f-67xm-rxx7"}]},{"advisoryId":"PKSA-ghdy-xf1y-wsyx","packageName":"froxlor\/froxlor","remoteId":"GHSA-jvx4-xv3m-hrj4","title":"Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()","link":"https:\/\/github.com\/advisories\/GHSA-jvx4-xv3m-hrj4","cve":"CVE-2026-41233","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:46:47","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jvx4-xv3m-hrj4"}]},{"advisoryId":"PKSA-mym1-2cj8-f6cp","packageName":"froxlor\/froxlor","remoteId":"GHSA-vmjj-qr7v-pxm6","title":"Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-vmjj-qr7v-pxm6","cve":"CVE-2026-41232","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:05","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vmjj-qr7v-pxm6"}]},{"advisoryId":"PKSA-jy2x-d5vf-ycwz","packageName":"froxlor\/froxlor","remoteId":"GHSA-75h4-c557-j89r","title":"Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron","link":"https:\/\/github.com\/advisories\/GHSA-75h4-c557-j89r","cve":"CVE-2026-41231","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:18","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-75h4-c557-j89r"}]},{"advisoryId":"PKSA-zvbr-5xtx-pwd7","packageName":"froxlor\/froxlor","remoteId":"GHSA-47hf-23pw-3m8c","title":"Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()","link":"https:\/\/github.com\/advisories\/GHSA-47hf-23pw-3m8c","cve":"CVE-2026-41230","affectedVersions":"\u003C2.3.6","source":"GitHub","reportedAt":"2026-04-16 00:47:26","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-47hf-23pw-3m8c"}]},{"advisoryId":"PKSA-s4pz-z4hm-5n7x","packageName":"froxlor\/froxlor","remoteId":"GHSA-gc9w-cc93-rjv8","title":"Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)","link":"https:\/\/github.com\/advisories\/GHSA-gc9w-cc93-rjv8","cve":"CVE-2026-41229","affectedVersions":"\u003C=2.3.5","source":"GitHub","reportedAt":"2026-04-16 00:50:00","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-gc9w-cc93-rjv8"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-dmwd-n76s-m3f9","packageName":"craftcms\/cms","remoteId":"GHSA-jq2f-59pj-p3m3","title":"Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action","link":"https:\/\/github.com\/advisories\/GHSA-jq2f-59pj-p3m3","cve":"CVE-2026-41128","affectedVersions":"\u003E=5.6.0,\u003C5.9.15","source":"GitHub","reportedAt":"2026-04-14 23:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jq2f-59pj-p3m3"}]},{"advisoryId":"PKSA-wb3t-ts8t-d4cj","packageName":"craftcms\/cms","remoteId":"GHSA-3m9m-24vh-39wx","title":"Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations","link":"https:\/\/github.com\/advisories\/GHSA-3m9m-24vh-39wx","cve":"CVE-2026-41129","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:35:16","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3m9m-24vh-39wx"}]},{"advisoryId":"PKSA-ntd3-69q5-4cfy","packageName":"craftcms\/cms","remoteId":"GHSA-95wr-3f2v-v2wh","title":"Craft CMS has a host header injection leading to SSRF via resource-js endpoint","link":"https:\/\/github.com\/advisories\/GHSA-95wr-3f2v-v2wh","cve":"CVE-2026-41130","affectedVersions":"\u003E=4.0.0-RC1,\u003C=4.17.8|\u003E=5.0.0-RC1,\u003C=5.9.14","source":"GitHub","reportedAt":"2026-04-14 23:36:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-95wr-3f2v-v2wh"}]}]}}