GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
204 advisories
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Moderate
CVE-2026-40099
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
High
CVE-2026-34587
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
High
CVE-2026-40938
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion
Moderate
CVE-2026-40924
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
Moderate
CVE-2026-25542
was published
for
github.com/tektoncd/pipeline
(Go)
Apr 21, 2026
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
Critical
GHSA-3xx2-mqjm-hg9x
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Moderate
GHSA-fpw4-p57j-hqmq
was published
for
@paperclipai/ui
(npm)
Apr 16, 2026
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server
Moderate
GHSA-p7mm-r948-4q3q
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Moderate
CVE-2026-40186
was published
for
sanitize-html
(npm)
Apr 16, 2026
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Moderate
CVE-2026-39857
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Moderate
CVE-2026-33889
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
Moderate
CVE-2026-33888
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Low
CVE-2026-33877
was published
for
apostrophe
(npm)
Apr 16, 2026
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Moderate
CVE-2026-40594
was published
for
pyload-ng
(pip)
Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Critical
GHSA-w59f-67xm-rxx7
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Critical
GHSA-gc9w-cc93-rjv8
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
High
GHSA-47hf-23pw-3m8c
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
High
GHSA-75h4-c557-j89r
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Moderate
GHSA-vmjj-qr7v-pxm6
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Moderate
GHSA-jvx4-xv3m-hrj4
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
Moderate
GHSA-8pv3-29pp-pf8f
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
High
GHSA-j432-4w3j-3w8j
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
High
GHSA-ff5q-cc22-fgp4
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
High
GHSA-ccq9-r5cw-5hwq
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
ProTip!
Advisories are also available from the
GraphQL API