GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,654 advisories
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
High
CVE-2026-41325
was published
for
getkirby/cms
(Composer)
Apr 24, 2026
TYPO3 CMS Stores Cleartext Password in User Settings Module
High
CVE-2026-6553
was published
for
typo3/cms-backend
(Composer)
Apr 24, 2026
Kimai has Missing Object-Level Authorization in the Team API
Low
CVE-2026-41498
was published
for
kimai/kimai
(Composer)
Apr 24, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Moderate
GHSA-f5c8-m5vw-rmgq
was published
for
almirhodzic/nova-toggle-5
(Composer)
Apr 24, 2026
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Moderate
CVE-2026-40099
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
High
CVE-2026-34587
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Kirby has XML injection in its XML creator toolkit
Moderate
CVE-2026-32870
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Moderate
GHSA-xjvc-pw2r-6878
was published
for
flarum/core
(Composer)
Apr 22, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41203
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41202
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS
Moderate
CVE-2026-41201
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
October CMS: Reflected XSS via DataTable Form Widget
Low
CVE-2026-27937
was published
for
october/system
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate
CVE-2026-26274
was published
for
october/october
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Moderate
CVE-2026-26067
was published
for
october/system
(Composer)
Apr 21, 2026
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
Moderate
CVE-2026-40098
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
High
GHSA-f58v-p6j9-24c2
was published
for
yeswiki/yeswiki
(Composer)
Apr 18, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
High
GHSA-qrr6-mg7r-m243
was published
for
phpunit/phpunit
(Composer)
Apr 18, 2026
elFinder: Command injection in resize background color parameter when using ImageMagick CLI
High
CVE-2026-41247
was published
for
studio-42/elfinder
(Composer)
Apr 17, 2026
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API