GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,193 advisories
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
High
GHSA-vvfw-4m39-fjqf
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Critical
GHSA-gph2-j4c9-vhhr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
High
GHSA-6rc6-p838-686f
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
Moderate
GHSA-52hf-63q4-r926
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Moderate
GHSA-gpgp-w4x2-h3h7
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
High
CVE-2026-39971
was published
for
s9y/serendipity
(Composer)
Apr 14, 2026
Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php
Moderate
CVE-2026-39963
was published
for
s9y/serendipity
(Composer)
Apr 14, 2026
October Rain has Stored XSS via SVG Filter Bypass
Moderate
CVE-2026-25133
was published
for
october/rain
(Composer)
Apr 14, 2026
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
Moderate
CVE-2026-25125
was published
for
october/rain
(Composer)
Apr 14, 2026
Composer has a command injection via malicious perforce repository
High
CVE-2026-40176
was published
for
composer/composer
(Composer)
Apr 14, 2026
October CMS has Stored XSS in Event Log Mail Preview
Moderate
CVE-2026-24907
was published
for
october/system
(Composer)
Apr 14, 2026
October CMS has Stored XSS in Backend Editor Markup Classes
Moderate
CVE-2026-24906
was published
for
october/system
(Composer)
Apr 14, 2026
October Rain has a Twig Sandbox Bypass via Collection Methods
Moderate
CVE-2026-22692
was published
for
october/rain
(Composer)
Apr 14, 2026
Composer has a command injection via malicious perforce reference
High
CVE-2026-40261
was published
for
composer/composer
(Composer)
Apr 14, 2026
Kimai leaks API Token Hash via Invoice Twig Template
Low
GHSA-rh42-6rj2-xwmc
was published
for
kimai/kimai
(Composer)
Apr 14, 2026
Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler
Low
GHSA-3jp4-mhh4-gcgr
was published
for
kimai/kimai
(Composer)
Apr 14, 2026
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
Low
CVE-2026-32270
was published
for
craftcms/commerce
(Composer)
Apr 14, 2026
Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
High
CVE-2026-32271
was published
for
craftcms/commerce
(Composer)
Apr 14, 2026
Craft Commerce hasVariant/hasProduct Blind SQL Injection
High
CVE-2026-32272
was published
for
craftcms/commerce
(Composer)
Apr 14, 2026
ProTip!
Advisories are also available from the
GraphQL API