GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,455 advisories
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Moderate
CVE-2026-34247
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Moderate
CVE-2026-34245
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
High
GHSA-wprj-9cvc-5w37
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
Kirby CMS has Persistent DoS via Malformed Image Upload
Moderate
CVE-2026-29905
was published
for
getkirby/cms
(Composer)
Mar 27, 2026
Saloon has insecure deserialization in AccessTokenAuthenticator
High
CVE-2026-33942
was published
for
saloonphp/saloon
(Composer)
Mar 27, 2026
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Moderate
CVE-2026-34036
was published
for
dolibarr/dolibarr
(Composer)
Mar 27, 2026
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Moderate
CVE-2026-33541
was published
for
miraheze/ts-portal
(Composer)
Mar 27, 2026
TSPortal: Any user can forge self-deletion requests for any account
High
CVE-2026-29788
was published
for
miraheze/ts-portal
(Composer)
Mar 27, 2026
Statamic allows unauthorized content access through missing authorization in its revision controllers
Moderate
CVE-2026-33887
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Moderate
CVE-2026-33886
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential
Moderate
CVE-2026-33885
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's live preview token bypasses content protection for unrelated entries
Moderate
CVE-2026-33884
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
Moderate
CVE-2026-33883
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's Markdown preview endpoint exposes sensitive user data
Moderate
CVE-2026-33882
was published
for
statamic/cms
(Composer)
Mar 26, 2026
AVideo has Plaintext Video Password Storage
Critical
CVE-2026-33867
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
High
CVE-2026-33770
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
High
CVE-2026-33767
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
Moderate
CVE-2026-33766
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Moderate
CVE-2026-33764
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
Moderate
CVE-2026-33763
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Moderate
CVE-2026-33761
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write
High
GHSA-pr3g-phhr-h8fh
was published
for
librenms/librenms
(Composer)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API