{"advisories":{"krayin\/laravel-crm":[{"advisoryId":"PKSA-vkyr-b96k-z2ks","packageName":"krayin\/laravel-crm","remoteId":"GHSA-32px-ccfx-cxq3","title":"Krayin CRM allows a remote attacker to execute arbitrary code via compose email function","link":"https:\/\/github.com\/advisories\/GHSA-32px-ccfx-cxq3","cve":"CVE-2026-36340","affectedVersions":"=2.1.5","source":"GitHub","reportedAt":"2026-04-30 18:30:32","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-32px-ccfx-cxq3"}]}],"cockpit-hq\/cockpit":[{"advisoryId":"PKSA-dpw9-65w1-pksf","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-j2rx-4jg9-79mw","title":"Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type","link":"https:\/\/github.com\/advisories\/GHSA-j2rx-4jg9-79mw","cve":"CVE-2026-38991","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-j2rx-4jg9-79mw"}]},{"advisoryId":"PKSA-gx1h-274c-423s","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-p46p-7pmj-m34f","title":"Cockpit is vulnerable to directory traversal","link":"https:\/\/github.com\/advisories\/GHSA-p46p-7pmj-m34f","cve":"CVE-2026-38993","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 18:31:34","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-p46p-7pmj-m34f"}]},{"advisoryId":"PKSA-496r-cnzn-ck12","packageName":"cockpit-hq\/cockpit","remoteId":"GHSA-fm6c-rhcf-7439","title":"Cockpit is vulnerable to arbitrary code execution","link":"https:\/\/github.com\/advisories\/GHSA-fm6c-rhcf-7439","cve":"CVE-2026-38992","affectedVersions":"\u003C2.14.0","source":"GitHub","reportedAt":"2026-04-29 15:30:39","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fm6c-rhcf-7439"}]}],"getgrav\/grav-plugin-form":[{"advisoryId":"PKSA-t8zh-nz62-2js9","packageName":"getgrav\/grav-plugin-form","remoteId":"GHSA-w4rc-p66m-x6qq","title":"Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override","link":"https:\/\/github.com\/advisories\/GHSA-w4rc-p66m-x6qq","cve":"CVE-2026-42845","affectedVersions":"\u003C9.1.0","source":"GitHub","reportedAt":"2026-05-06 23:03:13","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w4rc-p66m-x6qq"}]}],"bagisto\/bagisto":[{"advisoryId":"PKSA-fphw-3zcz-ygcb","packageName":"bagisto\/bagisto","remoteId":"GHSA-65fp-7g2v-658r","title":"Bagisto affected by Cross-site Scripting","link":"https:\/\/github.com\/advisories\/GHSA-65fp-7g2v-658r","cve":"CVE-2026-6745","affectedVersions":"\u003C=2.3.15","source":"GitHub","reportedAt":"2026-04-21 21:31:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-65fp-7g2v-658r"}]},{"advisoryId":"PKSA-5txd-q8wz-njb7","packageName":"bagisto\/bagisto","remoteId":"GHSA-x3f9-vcp2-hgcw","title":"Bagisto affected by Server-Side Request Forgery","link":"https:\/\/github.com\/advisories\/GHSA-x3f9-vcp2-hgcw","cve":"CVE-2026-6744","affectedVersions":"\u003C=2.3.15","source":"GitHub","reportedAt":"2026-04-21 21:31:23","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-x3f9-vcp2-hgcw"}]}],"flightphp\/core":[{"advisoryId":"PKSA-wvkx-qqd9-sqb6","packageName":"flightphp\/core","remoteId":"GHSA-fcx8-ph5r-mxr4","title":"Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() ","link":"https:\/\/github.com\/advisories\/GHSA-fcx8-ph5r-mxr4","cve":"CVE-2026-42548","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:34:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fcx8-ph5r-mxr4"}]},{"advisoryId":"PKSA-1wr3-jdqm-7ppr","packageName":"flightphp\/core","remoteId":"GHSA-3xjv-pmf2-gf2q","title":"Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root","link":"https:\/\/github.com\/advisories\/GHSA-3xjv-pmf2-gf2q","cve":"CVE-2026-42549","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:34:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3xjv-pmf2-gf2q"}]},{"advisoryId":"PKSA-jtc2-k2n3-ck2b","packageName":"flightphp\/core","remoteId":"GHSA-xwqr-rcqg-22mr","title":"Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert \/ update \/ delete","link":"https:\/\/github.com\/advisories\/GHSA-xwqr-rcqg-22mr","cve":"CVE-2026-42550","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:35:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xwqr-rcqg-22mr"}]},{"advisoryId":"PKSA-w12s-8pdm-4hrq","packageName":"flightphp\/core","remoteId":"GHSA-vxrr-w42w-w76g","title":"Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass","link":"https:\/\/github.com\/advisories\/GHSA-vxrr-w42w-w76g","cve":"CVE-2026-42551","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:38:16","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vxrr-w42w-w76g"}]},{"advisoryId":"PKSA-c4m3-5zjm-wjht","packageName":"flightphp\/core","remoteId":"GHSA-qrch-52m5-vv85","title":"Flight vulnerable to sensitive information disclosure via default error handler","link":"https:\/\/github.com\/advisories\/GHSA-qrch-52m5-vv85","cve":"CVE-2026-42552","affectedVersions":"\u003C3.18.1","source":"GitHub","reportedAt":"2026-05-06 21:39:07","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qrch-52m5-vv85"}]}],"getgrav\/grav":[{"advisoryId":"PKSA-jtpz-17pm-t9v9","packageName":"getgrav\/grav","remoteId":"GHSA-6xx2-m8wv-756h","title":"Low-privileged Grav API users can create super-admin accounts via blueprint-upload","link":"https:\/\/github.com\/advisories\/GHSA-6xx2-m8wv-756h","cve":"CVE-2026-42844","affectedVersions":"\u003C2.0.0-beta.4","source":"GitHub","reportedAt":"2026-05-06 21:19:21","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-6xx2-m8wv-756h"}]},{"advisoryId":"PKSA-ncnf-tf1t-zhtj","packageName":"getgrav\/grav","remoteId":"GHSA-hmcx-ch82-3fv2","title":"Grav has Unauthenticated Path Traversal \u0026 Arbitrary File Write in its FormFlash component","link":"https:\/\/github.com\/advisories\/GHSA-hmcx-ch82-3fv2","cve":"CVE-2026-42608","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:34:58","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-hmcx-ch82-3fv2"}]},{"advisoryId":"PKSA-59xg-9744-g5wz","packageName":"getgrav\/grav","remoteId":"GHSA-3446-6mgw-f79p","title":"Grav is Vulnerable to XXE via SVG Upload ","link":"https:\/\/github.com\/advisories\/GHSA-3446-6mgw-f79p","cve":null,"affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:35:53","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3446-6mgw-f79p"}]},{"advisoryId":"PKSA-sd9s-hpbv-6d8f","packageName":"getgrav\/grav","remoteId":"GHSA-w8cg-7jcj-4vv2","title":"Grav is Vulnerable to Stored XSS via Tag Injection","link":"https:\/\/github.com\/advisories\/GHSA-w8cg-7jcj-4vv2","cve":"CVE-2026-42611","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:36:27","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-w8cg-7jcj-4vv2"}]},{"advisoryId":"PKSA-st6r-p3js-kbk7","packageName":"getgrav\/grav","remoteId":"GHSA-w48r-jppp-rcfw","title":"Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature","link":"https:\/\/github.com\/advisories\/GHSA-w48r-jppp-rcfw","cve":"CVE-2026-42607","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:21:10","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-w48r-jppp-rcfw"}]},{"advisoryId":"PKSA-yx72-zyj1-gtxy","packageName":"getgrav\/grav","remoteId":"GHSA-r7fx-8g49-7hhr","title":"Grav CMS vulnerable to stored XSS via Markdown media attribute() action","link":"https:\/\/github.com\/advisories\/GHSA-r7fx-8g49-7hhr","cve":"CVE-2026-42841","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:24:08","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-r7fx-8g49-7hhr"}]},{"advisoryId":"PKSA-ddbz-4vx4-q29g","packageName":"getgrav\/grav","remoteId":"GHSA-c2q3-p4jr-c55f","title":"Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel","link":"https:\/\/github.com\/advisories\/GHSA-c2q3-p4jr-c55f","cve":"CVE-2026-42842","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:24:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-c2q3-p4jr-c55f"}]},{"advisoryId":"PKSA-pzhx-ftqg-8fxh","packageName":"getgrav\/grav","remoteId":"GHSA-pxm6-mhxr-q4mj","title":"Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups\/access","link":"https:\/\/github.com\/advisories\/GHSA-pxm6-mhxr-q4mj","cve":"CVE-2026-42613","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:26:06","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-pxm6-mhxr-q4mj"}]},{"advisoryId":"PKSA-69wb-mt3g-24xp","packageName":"getgrav\/grav","remoteId":"GHSA-3f29-pqwf-v4j4","title":"Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass","link":"https:\/\/github.com\/advisories\/GHSA-3f29-pqwf-v4j4","cve":"CVE-2026-42610","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:26:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3f29-pqwf-v4j4"}]},{"advisoryId":"PKSA-dxs6-j3rv-n16d","packageName":"getgrav\/grav","remoteId":"GHSA-9695-8fr9-hw5q","title":"Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes","link":"https:\/\/github.com\/advisories\/GHSA-9695-8fr9-hw5q","cve":"CVE-2026-42612","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:27:15","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9695-8fr9-hw5q"}]},{"advisoryId":"PKSA-vnvp-8nvk-g8ck","packageName":"getgrav\/grav","remoteId":"GHSA-vj3m-2g9h-vm4p","title":"Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass","link":"https:\/\/github.com\/advisories\/GHSA-vj3m-2g9h-vm4p","cve":null,"affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:02","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-vj3m-2g9h-vm4p"}]},{"advisoryId":"PKSA-t2z1-v63n-9cpk","packageName":"getgrav\/grav","remoteId":"GHSA-gwfr-jfjf-92vv","title":"Grav has Insecure Deserialization in File Cache","link":"https:\/\/github.com\/advisories\/GHSA-gwfr-jfjf-92vv","cve":null,"affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:29","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gwfr-jfjf-92vv"}]},{"advisoryId":"PKSA-fchw-jdvj-kg96","packageName":"getgrav\/grav","remoteId":"GHSA-rr73-568v-28f8","title":"Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic","link":"https:\/\/github.com\/advisories\/GHSA-rr73-568v-28f8","cve":"CVE-2026-42609","affectedVersions":"\u003C2.0.0-beta.2","source":"GitHub","reportedAt":"2026-05-05 21:29:53","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-rr73-568v-28f8"}]}],"statamic\/cms":[{"advisoryId":"PKSA-ynr1-y6st-8cwm","packageName":"statamic\/cms","remoteId":"GHSA-m24v-f7g5-gq67","title":"Statamic CMS vulnerable to email enumeration via forgot password endpoint","link":"https:\/\/github.com\/advisories\/GHSA-m24v-f7g5-gq67","cve":"CVE-2026-44306","affectedVersions":"\u003E=6.0.0,\u003C6.15.0|\u003C5.73.21","source":"GitHub","reportedAt":"2026-05-06 20:54:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-m24v-f7g5-gq67"}]}],"openmage\/magento-lts":[{"advisoryId":"PKSA-j61z-h6ts-jp8k","packageName":"openmage\/magento-lts","remoteId":"GHSA-x8jv-q8j2-487c","title":"Magento LTS: Reflected XSS - Import -\u003E Data Flow (profiles) ","link":"https:\/\/github.com\/advisories\/GHSA-x8jv-q8j2-487c","cve":"CVE-2026-42458","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-06 20:57:37","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x8jv-q8j2-487c"}]},{"advisoryId":"PKSA-3c4m-s9d4-ycyr","packageName":"openmage\/magento-lts","remoteId":"GHSA-qpgq-5g92-j5q8","title":"Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`","link":"https:\/\/github.com\/advisories\/GHSA-qpgq-5g92-j5q8","cve":"CVE-2026-42207","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-05 20:11:21","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qpgq-5g92-j5q8"}]},{"advisoryId":"PKSA-qjnm-jjkr-qktb","packageName":"openmage\/magento-lts","remoteId":"GHSA-2cwr-gcf9-pvxr","title":"Magento LTS has Weak API Session ID \u2014 Predictable MD5 of Time-Derived Inputs","link":"https:\/\/github.com\/advisories\/GHSA-2cwr-gcf9-pvxr","cve":"CVE-2026-42155","affectedVersions":"\u003C=20.17.0","source":"GitHub","reportedAt":"2026-05-05 19:35:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-2cwr-gcf9-pvxr"}]}],"thorsten\/phpmyfaq":[{"advisoryId":"PKSA-q6mm-vp1w-mgjs","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-n87n-9t5q-zcf5","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-k9ft-9rnh-h8dn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-djzh-dx9x-j5hd","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-trv8-7xnx-t8d9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-198b-7kr6-ksdh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-42b7-bh2b-d7nn","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-pmsp-dtdj-k1f9","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-1zxw-krpv-74xh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-b77f-s5cd-b1qh","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-p58s-jb5m-qycz","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-7cx3-2qx2-3g6w","title":"phpMyFAQ\u0027s Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-7cx3-2qx2-3g6w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:12:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cx3-2qx2-3g6w"}]},{"advisoryId":"PKSA-jr2y-dd2x-qtks","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-sw8q-jkxw-m11r","packageName":"thorsten\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"phpmyfaq\/phpmyfaq":[{"advisoryId":"PKSA-6pt5-mfr3-5b72","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9pq7-mfwh-xx2j","title":"phpMyFAQ enables unauthenticated 2FA brute-force attack via \/admin\/check acceptance of arbitrary user-id","link":"https:\/\/github.com\/advisories\/GHSA-9pq7-mfwh-xx2j","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:42:54","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-9pq7-mfwh-xx2j"}]},{"advisoryId":"PKSA-r4gq-dd3d-gxrj","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pm8c-3qq3-72w7","title":"phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields","link":"https:\/\/github.com\/advisories\/GHSA-pm8c-3qq3-72w7","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:44:39","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-pm8c-3qq3-72w7"}]},{"advisoryId":"PKSA-76kk-7mdh-r8h5","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-99qv-g4x9-mgc3","title":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","link":"https:\/\/github.com\/advisories\/GHSA-99qv-g4x9-mgc3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:45:01","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-99qv-g4x9-mgc3"}]},{"advisoryId":"PKSA-tvkw-wcnm-h63h","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-gh9p-q46p-57g2","title":"phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins","link":"https:\/\/github.com\/advisories\/GHSA-gh9p-q46p-57g2","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:47:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-gh9p-q46p-57g2"}]},{"advisoryId":"PKSA-6nrc-qfr1-rds3","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-289f-fq7w-6q2w","title":"phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha","link":"https:\/\/github.com\/advisories\/GHSA-289f-fq7w-6q2w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:49:15","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-289f-fq7w-6q2w"}]},{"advisoryId":"PKSA-7dk8-b5d5-n9bf","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-pqh6-8fxf-jx22","title":"phpMyFAQ has stored XSS via | raw Filter in search.twig \u2014 html_entity_decode(strip_tags()) Bypass in Search Result Rendering","link":"https:\/\/github.com\/advisories\/GHSA-pqh6-8fxf-jx22","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:31:54","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-pqh6-8fxf-jx22"}]},{"advisoryId":"PKSA-v8r2-1321-xzpp","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-jrc5-w569-h7h5","title":"phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ","link":"https:\/\/github.com\/advisories\/GHSA-jrc5-w569-h7h5","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:37:42","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jrc5-w569-h7h5"}]},{"advisoryId":"PKSA-n88j-cgtd-2fvg","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-rm98-82fr-mcfx","title":"phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User","link":"https:\/\/github.com\/advisories\/GHSA-rm98-82fr-mcfx","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:24:39","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-rm98-82fr-mcfx"}]},{"advisoryId":"PKSA-vm8f-6283-2vfw","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-9525-27vj-c8r8","title":"phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering","link":"https:\/\/github.com\/advisories\/GHSA-9525-27vj-c8r8","cve":null,"affectedVersions":"=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:10:48","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-9525-27vj-c8r8"}]},{"advisoryId":"PKSA-8syh-w2cp-tqks","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-hpgw-ww76-c68r","title":"phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check","link":"https:\/\/github.com\/advisories\/GHSA-hpgw-ww76-c68r","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:11:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hpgw-ww76-c68r"}]},{"advisoryId":"PKSA-117q-9kx2-kjzm","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-7cx3-2qx2-3g6w","title":"phpMyFAQ\u0027s Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags","link":"https:\/\/github.com\/advisories\/GHSA-7cx3-2qx2-3g6w","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:12:07","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7cx3-2qx2-3g6w"}]},{"advisoryId":"PKSA-6zc3-3brt-ftsh","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-f5p7-2c9q-8896","title":"phpMyFAQ has Stored XSS in FAQ Question\/Answer via Encode-Decode Bypass of removeAttributes() Sanitization","link":"https:\/\/github.com\/advisories\/GHSA-f5p7-2c9q-8896","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:02","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5p7-2c9q-8896"}]},{"advisoryId":"PKSA-jn65-sph2-9wn9","packageName":"phpmyfaq\/phpmyfaq","remoteId":"GHSA-whqh-9pq5-c7r3","title":"phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS","link":"https:\/\/github.com\/advisories\/GHSA-whqh-9pq5-c7r3","cve":null,"affectedVersions":"\u003C=4.1.1","source":"GitHub","reportedAt":"2026-05-06 20:18:48","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-whqh-9pq5-c7r3"}]}],"dedoc\/scramble":[{"advisoryId":"PKSA-kb5d-bgb1-8ykp","packageName":"dedoc\/scramble","remoteId":"GHSA-4rm2-28vj-fj39","title":"Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules","link":"https:\/\/github.com\/advisories\/GHSA-4rm2-28vj-fj39","cve":"CVE-2026-44262","affectedVersions":"\u003E=0.13.2,\u003C=0.13.21","source":"GitHub","reportedAt":"2026-05-06 19:54:56","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-4rm2-28vj-fj39"}]},{"advisoryId":"PKSA-qgg1-cfs4-rkb8","packageName":"dedoc\/scramble","remoteId":"dedoc\/scramble\/2026-04-28.yaml","title":"Remote code execution via evaluation of user-controlled input in validation rules","link":"https:\/\/github.com\/dedoc\/scramble\/security\/advisories\/GHSA-4rm2-28vj-fj39","cve":null,"affectedVersions":"\u003E=0.13.2,\u003C0.13.22","source":"FriendsOfPHP\/security-advisories","reportedAt":"2026-04-28 00:00:00","composerRepository":"https:\/\/packagist.org","severity":null,"sources":[{"name":"FriendsOfPHP\/security-advisories","remoteId":"dedoc\/scramble\/2026-04-28.yaml"}]}],"pimcore\/pimcore":[{"advisoryId":"PKSA-m2yg-zp8k-8hxj","packageName":"pimcore\/pimcore","remoteId":"GHSA-7gxw-q9j5-mrj4","title":"Pimcore has an authenticated Cross-site Scripting issue","link":"https:\/\/github.com\/advisories\/GHSA-7gxw-q9j5-mrj4","cve":"CVE-2026-5362","affectedVersions":"=12.3.3","source":"GitHub","reportedAt":"2026-04-27 21:31:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-7gxw-q9j5-mrj4"}]},{"advisoryId":"PKSA-vp19-ydt7-tws9","packageName":"pimcore\/pimcore","remoteId":"GHSA-c8g3-x47w-8q7p","title":"Pimcore admin users can trigger SQL Injection","link":"https:\/\/github.com\/advisories\/GHSA-c8g3-x47w-8q7p","cve":"CVE-2026-5394","affectedVersions":"=12.3.3","source":"GitHub","reportedAt":"2026-04-27 21:31:02","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-c8g3-x47w-8q7p"}]}],"kimai\/kimai":[{"advisoryId":"PKSA-zy2k-4hm5-25gd","packageName":"kimai\/kimai","remoteId":"GHSA-vrqv-52x7-rm4v","title":"Kimai\u0027s Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice\/export templates","link":"https:\/\/github.com\/advisories\/GHSA-vrqv-52x7-rm4v","cve":null,"affectedVersions":"\u003C=2.55.0","source":"GitHub","reportedAt":"2026-05-06 18:42:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vrqv-52x7-rm4v"}]},{"advisoryId":"PKSA-5g91-2cyx-w1s8","packageName":"kimai\/kimai","remoteId":"GHSA-9g2q-w3w2-vf7q","title":"Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation","link":"https:\/\/github.com\/advisories\/GHSA-9g2q-w3w2-vf7q","cve":null,"affectedVersions":"\u003C=2.55.0","source":"GitHub","reportedAt":"2026-05-06 18:28:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-9g2q-w3w2-vf7q"}]},{"advisoryId":"PKSA-z4ky-h9pc-hn66","packageName":"kimai\/kimai","remoteId":"GHSA-3xc2-h5r3-wv3r","title":"Kimai vulnerable to formula Injection via tag names in XLSX export","link":"https:\/\/github.com\/advisories\/GHSA-3xc2-h5r3-wv3r","cve":"CVE-2026-42267","affectedVersions":"\u003E=2.27.0,\u003C=2.53.0","source":"GitHub","reportedAt":"2026-05-05 20:53:38","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-3xc2-h5r3-wv3r"}]}],"craftcms\/cms":[{"advisoryId":"PKSA-7b21-z11x-97gc","packageName":"craftcms\/cms","remoteId":"GHSA-qrgm-p9w5-rrfw","title":"Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior","link":"https:\/\/github.com\/advisories\/GHSA-qrgm-p9w5-rrfw","cve":"CVE-2026-44011","affectedVersions":"\u003E=5.0.0,\u003C5.9.18|\u003E=4.0.0,\u003C4.17.12","source":"GitHub","reportedAt":"2026-05-06 17:54:06","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qrgm-p9w5-rrfw"}]},{"advisoryId":"PKSA-tj2m-c963-6jtt","packageName":"craftcms\/cms","remoteId":"GHSA-33m5-hqp9-97pw","title":"Craft CMS\u0027s Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-33m5-hqp9-97pw","cve":"CVE-2026-44012","affectedVersions":"\u003E=5.0.0-RC1,\u003C5.9.18","source":"GitHub","reportedAt":"2026-05-06 17:54:47","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-33m5-hqp9-97pw"}]},{"advisoryId":"PKSA-sxz1-z4jg-2vhh","packageName":"craftcms\/cms","remoteId":"GHSA-gj2p-p9m4-c8gw","title":"Craft CMS\u0027s Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure","link":"https:\/\/github.com\/advisories\/GHSA-gj2p-p9m4-c8gw","cve":"CVE-2026-44010","affectedVersions":"\u003E=4.0.0,\u003C4.17.12|\u003E=5.0.0,\u003C5.9.18","source":"GitHub","reportedAt":"2026-05-06 17:49:17","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gj2p-p9m4-c8gw"}]}],"wwbn\/avideo":[{"advisoryId":"PKSA-fx66-ws43-zr1x","packageName":"wwbn\/avideo","remoteId":"GHSA-xr49-f4rh-qcjf","title":"AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization","link":"https:\/\/github.com\/advisories\/GHSA-xr49-f4rh-qcjf","cve":"CVE-2026-43885","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:20:42","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-xr49-f4rh-qcjf"}]},{"advisoryId":"PKSA-81bf-8cfg-hbh2","packageName":"wwbn\/avideo","remoteId":"GHSA-mwgh-92m2-wvhv","title":"AVideo: Unauthenticated CRLF\/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing","link":"https:\/\/github.com\/advisories\/GHSA-mwgh-92m2-wvhv","cve":"CVE-2026-43882","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:14:31","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mwgh-92m2-wvhv"}]},{"advisoryId":"PKSA-45d7-4cq7-wyg1","packageName":"wwbn\/avideo","remoteId":"GHSA-958h-qp3x-q4gj","title":"AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements","link":"https:\/\/github.com\/advisories\/GHSA-958h-qp3x-q4gj","cve":"CVE-2026-43883","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:16:12","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-958h-qp3x-q4gj"}]},{"advisoryId":"PKSA-458v-1gr5-bf2y","packageName":"wwbn\/avideo","remoteId":"GHSA-2hch-c97c-g99x","title":"AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()","link":"https:\/\/github.com\/advisories\/GHSA-2hch-c97c-g99x","cve":"CVE-2026-43884","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:16:33","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2hch-c97c-g99x"}]},{"advisoryId":"PKSA-m1k1-6n5g-5skj","packageName":"wwbn\/avideo","remoteId":"GHSA-6rvw-7p8v-mjfq","title":"AVideo: Unauthenticated User Enumeration in objects\/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction","link":"https:\/\/github.com\/advisories\/GHSA-6rvw-7p8v-mjfq","cve":"CVE-2026-43881","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 22:02:35","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-6rvw-7p8v-mjfq"}]},{"advisoryId":"PKSA-7c98-nyt4-qt25","packageName":"wwbn\/avideo","remoteId":"GHSA-5hgj-7gm9-cff5","title":"AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site\u2019s Legitimate From Address","link":"https:\/\/github.com\/advisories\/GHSA-5hgj-7gm9-cff5","cve":"CVE-2026-43880","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 21:56:19","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hgj-7gm9-cff5"}]},{"advisoryId":"PKSA-n1mw-ddw6-yyqd","packageName":"wwbn\/avideo","remoteId":"GHSA-wp38-whx3-xffh","title":"AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass","link":"https:\/\/github.com\/advisories\/GHSA-wp38-whx3-xffh","cve":"CVE-2026-43879","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 21:49:23","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-wp38-whx3-xffh"}]},{"advisoryId":"PKSA-71gv-fx3g-ynk8","packageName":"wwbn\/avideo","remoteId":"GHSA-g9cm-rxp7-6gv5","title":"AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers","link":"https:\/\/github.com\/advisories\/GHSA-g9cm-rxp7-6gv5","cve":"CVE-2026-43876","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:11:32","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-g9cm-rxp7-6gv5"}]},{"advisoryId":"PKSA-7rzh-pwkp-t841","packageName":"wwbn\/avideo","remoteId":"GHSA-jw8g-5j46-44rp","title":"AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users\u0027 Profile Photos with Arbitrary Content","link":"https:\/\/github.com\/advisories\/GHSA-jw8g-5j46-44rp","cve":"CVE-2026-43877","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:13:03","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-jw8g-5j46-44rp"}]},{"advisoryId":"PKSA-x5f2-6rvc-vhkd","packageName":"wwbn\/avideo","remoteId":"GHSA-mm5f-8q57-4fc4","title":"Video: Reflected XSS in plugin\/Meet\/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal","link":"https:\/\/github.com\/advisories\/GHSA-mm5f-8q57-4fc4","cve":"CVE-2026-43878","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:15:56","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-mm5f-8q57-4fc4"}]},{"advisoryId":"PKSA-15fj-zg4r-zsnq","packageName":"wwbn\/avideo","remoteId":"GHSA-ghcv-22jf-vfxm","title":"AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg[\u0027json\u0027]` Relay Bypass","link":"https:\/\/github.com\/advisories\/GHSA-ghcv-22jf-vfxm","cve":"CVE-2026-43874","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:07:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-ghcv-22jf-vfxm"}]},{"advisoryId":"PKSA-dbh3-mg7m-c1nc","packageName":"wwbn\/avideo","remoteId":"GHSA-5w8w-26ch-v5cw","title":"AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover","link":"https:\/\/github.com\/advisories\/GHSA-5w8w-26ch-v5cw","cve":"CVE-2026-43875","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 19:08:45","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5w8w-26ch-v5cw"}]},{"advisoryId":"PKSA-5tbj-dcxw-w2wv","packageName":"wwbn\/avideo","remoteId":"GHSA-qm9p-p5pw-jrx2","title":"AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server","link":"https:\/\/github.com\/advisories\/GHSA-qm9p-p5pw-jrx2","cve":"CVE-2026-43873","affectedVersions":"\u003C=29.0","source":"GitHub","reportedAt":"2026-05-05 18:58:13","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-qm9p-p5pw-jrx2"}]}],"getgrav\/grav-plugin-api":[{"advisoryId":"PKSA-pxqc-bymp-4wtn","packageName":"getgrav\/grav-plugin-api","remoteId":"GHSA-r945-h4vm-h736","title":"Grav API Privilege Escalation to Super Admin","link":"https:\/\/github.com\/advisories\/GHSA-r945-h4vm-h736","cve":"CVE-2026-42843","affectedVersions":"\u003C1.0.0-beta.15","source":"GitHub","reportedAt":"2026-05-05 21:20:03","composerRepository":null,"severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r945-h4vm-h736"}]}],"phpseclib\/phpseclib":[{"advisoryId":"PKSA-smrh-yx37-92ws","packageName":"phpseclib\/phpseclib","remoteId":"GHSA-3qpq-r242-jqj7","title":"phpseclib has a CVE-2024-27355 mitigation bypass \u2014 OID amplification DoS in ASN1::decodeOID()","link":"https:\/\/github.com\/advisories\/GHSA-3qpq-r242-jqj7","cve":"CVE-2026-44167","affectedVersions":"\u003E=3.0.0,\u003C=3.0.51|\u003E=2.0.0,\u003C=2.0.53|\u003E=0.0.11,\u003C=1.0.28","source":"GitHub","reportedAt":"2026-05-05 21:17:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-3qpq-r242-jqj7"}]}],"showdoc\/showdoc":[{"advisoryId":"PKSA-r6d8-qs1d-pj19","packageName":"showdoc\/showdoc","remoteId":"GHSA-fm5r-cj7v-rj2c","title":"ShowDoc has an Injection vulnerability","link":"https:\/\/github.com\/advisories\/GHSA-fm5r-cj7v-rj2c","cve":"CVE-2026-6982","affectedVersions":"\u003C3.8.1","source":"GitHub","reportedAt":"2026-04-25 15:33:33","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-fm5r-cj7v-rj2c"}]}],"admidio\/admidio":[{"advisoryId":"PKSA-k2cf-4hh1-rf1y","packageName":"admidio\/admidio","remoteId":"GHSA-hcjj-chvw-fmw9","title":"Admidio has an incomplete fix for CVE-2026-32812 (SSRF)","link":"https:\/\/github.com\/advisories\/GHSA-hcjj-chvw-fmw9","cve":"CVE-2026-42194","affectedVersions":"\u003C=5.0.8","source":"GitHub","reportedAt":"2026-05-05 20:03:46","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-hcjj-chvw-fmw9"}]}],"webonyx\/graphql-php":[{"advisoryId":"PKSA-xwpn-zs9j-6wy5","packageName":"webonyx\/graphql-php","remoteId":"GHSA-r7cg-qjjm-xhqq","title":"webonyx\/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input","link":"https:\/\/github.com\/advisories\/GHSA-r7cg-qjjm-xhqq","cve":null,"affectedVersions":"\u003C=15.32.2","source":"GitHub","reportedAt":"2026-05-05 17:24:57","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-r7cg-qjjm-xhqq"}]},{"advisoryId":"PKSA-sf9j-1gs7-xzvx","packageName":"webonyx\/graphql-php","remoteId":"GHSA-fc86-6rv6-2jpm","title":"webonyx\/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments","link":"https:\/\/github.com\/advisories\/GHSA-fc86-6rv6-2jpm","cve":null,"affectedVersions":"\u003C15.32.2","source":"GitHub","reportedAt":"2026-05-04 22:22:09","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-fc86-6rv6-2jpm"}]}],"mckenziearts\/livewire-markdown-editor":[{"advisoryId":"PKSA-nr7m-pf27-n9rt","packageName":"mckenziearts\/livewire-markdown-editor","remoteId":"GHSA-gxxh-8vcj-w2mh","title":"livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler","link":"https:\/\/github.com\/advisories\/GHSA-gxxh-8vcj-w2mh","cve":null,"affectedVersions":"\u003C1.3","source":"GitHub","reportedAt":"2026-05-04 22:11:05","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gxxh-8vcj-w2mh"}]}],"nabeel\/phpvms":[{"advisoryId":"PKSA-21zk-g67c-5537","packageName":"nabeel\/phpvms","remoteId":"GHSA-fv26-4939-62fh","title":"phpVMS has an \/importer authorization bypass causing full database wipe","link":"https:\/\/github.com\/advisories\/GHSA-fv26-4939-62fh","cve":"CVE-2026-42569","affectedVersions":"\u003C7.0.6","source":"GitHub","reportedAt":"2026-05-04 21:20:40","composerRepository":"https:\/\/packagist.org","severity":"critical","sources":[{"name":"GitHub","remoteId":"GHSA-fv26-4939-62fh"}]}],"azuracast\/azuracast":[{"advisoryId":"PKSA-nx6v-99r9-ndh5","packageName":"azuracast\/azuracast","remoteId":"GHSA-vp2f-cqqp-478j","title":"AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload","link":"https:\/\/github.com\/advisories\/GHSA-vp2f-cqqp-478j","cve":"CVE-2026-42605","affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:16:51","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-vp2f-cqqp-478j"}]},{"advisoryId":"PKSA-8467-6xvh-v57b","packageName":"azuracast\/azuracast","remoteId":"GHSA-gv7r-3mr9-h5x8","title":"AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass","link":"https:\/\/github.com\/advisories\/GHSA-gv7r-3mr9-h5x8","cve":"CVE-2026-42606","affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:17:45","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-gv7r-3mr9-h5x8"}]},{"advisoryId":"PKSA-x7rb-qk7x-brrk","packageName":"azuracast\/azuracast","remoteId":"GHSA-4fm3-ggg2-c6qx","title":"AzuraCast\u0027s Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption","link":"https:\/\/github.com\/advisories\/GHSA-4fm3-ggg2-c6qx","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:18:22","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-4fm3-ggg2-c6qx"}]},{"advisoryId":"PKSA-6p4x-2pyn-gcq9","packageName":"azuracast\/azuracast","remoteId":"GHSA-qff7-q5fm-8p76","title":"AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration","link":"https:\/\/github.com\/advisories\/GHSA-qff7-q5fm-8p76","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:19:24","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-qff7-q5fm-8p76"}]},{"advisoryId":"PKSA-wgbn-7zcq-1tdt","packageName":"azuracast\/azuracast","remoteId":"GHSA-q4ph-8x8g-95f8","title":"AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field","link":"https:\/\/github.com\/advisories\/GHSA-q4ph-8x8g-95f8","cve":null,"affectedVersions":"\u003C=0.23.5","source":"GitHub","reportedAt":"2026-05-04 21:19:55","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-q4ph-8x8g-95f8"}]}],"ci4-cms-erp\/ci4ms":[{"advisoryId":"PKSA-kq1j-n47j-c2p7","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-vgrf-pr28-vf98","title":"CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess","link":"https:\/\/github.com\/advisories\/GHSA-vgrf-pr28-vf98","cve":"CVE-2026-41890","affectedVersions":"\u003E=0.31.1.0,\u003C=0.31.7.0","source":"GitHub","reportedAt":"2026-05-04 20:50:10","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-vgrf-pr28-vf98"}]},{"advisoryId":"PKSA-cf98-gsv6-bv96","packageName":"ci4-cms-erp\/ci4ms","remoteId":"GHSA-5hfv-c864-qcq9","title":"CI4MS has a Deactivated User Session Bypass (active=0)","link":"https:\/\/github.com\/advisories\/GHSA-5hfv-c864-qcq9","cve":"CVE-2026-41891","affectedVersions":"\u003E=0.26.0,\u003C=0.31.7.0","source":"GitHub","reportedAt":"2026-05-04 20:50:55","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-5hfv-c864-qcq9"}]}],"getkirby\/cms":[{"advisoryId":"PKSA-wrgq-xy3s-q6nz","packageName":"getkirby\/cms","remoteId":"GHSA-2h7v-4372-f6x2","title":"Kirby CMS\u0027s read access to site, user and role information is not gated by permissions","link":"https:\/\/github.com\/advisories\/GHSA-2h7v-4372-f6x2","cve":"CVE-2026-42069","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:50:24","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-2h7v-4372-f6x2"}]},{"advisoryId":"PKSA-p78d-845h-8y84","packageName":"getkirby\/cms","remoteId":"GHSA-39cp-6679-8xv2","title":"Kirby CMS doesn\u0027t gate user avatar creation, replacement and deletion with user update permissions","link":"https:\/\/github.com\/advisories\/GHSA-39cp-6679-8xv2","cve":"CVE-2026-42174","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:58:43","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-39cp-6679-8xv2"}]},{"advisoryId":"PKSA-d1w9-s6x2-nh6p","packageName":"getkirby\/cms","remoteId":"GHSA-x68m-c7jf-2572","title":"Kirby CMS\u0027s system API endpoint leaks installed version and license data to authenticated users","link":"https:\/\/github.com\/advisories\/GHSA-x68m-c7jf-2572","cve":"CVE-2026-42051","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-05-04 19:59:30","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-x68m-c7jf-2572"}]},{"advisoryId":"PKSA-bpcj-ysn7-my14","packageName":"getkirby\/cms","remoteId":"GHSA-85x2-r8xv-ww8c","title":"Kirby CMS\u0027s `pages.access\/list` and `files.access\/list` permissions are not consistently checked in the Panel and REST API","link":"https:\/\/github.com\/advisories\/GHSA-85x2-r8xv-ww8c","cve":"CVE-2026-42137","affectedVersions":"\u003E=5.0.0,\u003C=5.3.3|\u003C=4.8.0","source":"GitHub","reportedAt":"2026-04-30 21:03:20","composerRepository":"https:\/\/packagist.org","severity":"high","sources":[{"name":"GitHub","remoteId":"GHSA-85x2-r8xv-ww8c"}]}],"prestashop\/ps_checkout":[{"advisoryId":"PKSA-vdq5-bx4j-ybb1","packageName":"prestashop\/ps_checkout","remoteId":"GHSA-mqq7-wxx5-mp8h","title":"ps_checkout allows unauthorized method invocation through unvalidated parameter","link":"https:\/\/github.com\/advisories\/GHSA-mqq7-wxx5-mp8h","cve":null,"affectedVersions":"\u003C5.3.0","source":"GitHub","reportedAt":"2026-04-30 20:59:28","composerRepository":"https:\/\/packagist.org","severity":"low","sources":[{"name":"GitHub","remoteId":"GHSA-mqq7-wxx5-mp8h"}]}],"almirhodzic\/nova-toggle-5":[{"advisoryId":"PKSA-bty3-jphf-3n5y","packageName":"almirhodzic\/nova-toggle-5","remoteId":"GHSA-f5c8-m5vw-rmgq","title":"nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields","link":"https:\/\/github.com\/advisories\/GHSA-f5c8-m5vw-rmgq","cve":"CVE-2026-42202","affectedVersions":"\u003C1.3.0","source":"GitHub","reportedAt":"2026-04-24 16:00:09","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-f5c8-m5vw-rmgq"}]}],"flarum\/core":[{"advisoryId":"PKSA-4s1v-jz1f-4jpx","packageName":"flarum\/core","remoteId":"GHSA-xjvc-pw2r-6878","title":"Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)","link":"https:\/\/github.com\/advisories\/GHSA-xjvc-pw2r-6878","cve":"CVE-2026-41887","affectedVersions":"\u003E=2.0.0-beta.1,\u003C=2.0.0-beta.8|\u003C=1.8.15","source":"GitHub","reportedAt":"2026-04-22 20:34:52","composerRepository":"https:\/\/packagist.org","severity":"medium","sources":[{"name":"GitHub","remoteId":"GHSA-xjvc-pw2r-6878"}]}]}}