GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
584 advisories
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
Critical
CVE-2026-35035
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 6, 2026
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Critical
CVE-2026-34563
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-27599
was published
for
ci4-cms-erp/ci4ms
(Composer)
Mar 30, 2026
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34561
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Critical
CVE-2026-41229
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Critical
CVE-2026-41228
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Critical
CVE-2026-23500
was published
for
dolibarr/dolibarr
(Composer)
Apr 17, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Critical
CVE-2026-40911
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41203
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
Critical
CVE-2026-41202
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 22, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Critical
CVE-2026-33478
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Critical
CVE-2026-34571
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34569
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34568
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34564
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34567
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34566
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34565
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34560
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34559
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34557
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34558
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API