GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,913 advisories
Froxlor's API Authentication bypasses 2FA Authentication
High
GHSA-f9rx-7wf7-jr36
was published
for
froxlor/froxlor
(Composer)
Jun 3, 2026
Froxlor: BIND Zone File Injection via TXT Record Content
High
CVE-2026-41234
was published
for
froxlor/froxlor
(Composer)
Jun 3, 2026
backpack/crud is vulnerable to Cross-Site Scripting (XSS)
Moderate
CVE-2022-31114
was published
for
backpack/crud
(Composer)
Jun 3, 2026
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024
Moderate
CVE-2026-47233
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio writes session IDs and auto-login cookie values to application logs
Moderate
CVE-2026-47234
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio PKCS#12 private key export action lacks CSRF protection
Moderate
CVE-2026-47232
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders
High
CVE-2026-47231
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Moderate
CVE-2026-47230
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation
Moderate
CVE-2026-47229
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords
Moderate
CVE-2026-47228
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
Moderate
CVE-2026-47227
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
Moderate
CVE-2026-47212
was published
for
symfony/symfony
(Composer)
May 29, 2026
Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs
High
CVE-2026-47260
was published
for
phanan/koel
(Composer)
May 29, 2026
ezsystems/ezpublish-legacy has a SQL injection in dfscleanup
High
CVE-2026-38739
was published
for
ezsystems/ezpublish-legacy
(Composer)
May 29, 2026
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
High
CVE-2026-41236
was published
for
froxlor/froxlor
(Composer)
May 29, 2026
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement
High
CVE-2026-41235
was published
for
froxlor/froxlor
(Composer)
May 29, 2026
Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
High
CVE-2026-5394
was published
for
pimcore/pimcore
(Composer)
May 28, 2026
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form
Low
CVE-2026-46644
was published
for
symfony/polyfill
(Composer)
May 28, 2026
Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
Low
CVE-2026-45756
was published
for
symfony/json-path
(Composer)
May 28, 2026
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
Moderate
CVE-2026-45755
was published
for
symfony/mailtrap-mailer
(Composer)
May 28, 2026
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Moderate
CVE-2026-45754
was published
for
symfony/lox24-notifier
(Composer)
May 28, 2026
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Low
CVE-2026-45753
was published
for
symfony/html-sanitizer
(Composer)
May 28, 2026
ProTip!
Advisories are also available from the
GraphQL API