GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,561 advisories
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest
High
CVE-2026-41670
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests
High
CVE-2026-41669
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP
High
CVE-2026-41660
was published
for
admidio/admidio
(Composer)
Apr 29, 2026
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
High
CVE-2026-41587
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 29, 2026
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
High
CVE-2026-40902
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 29, 2026
PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
High
CVE-2026-40863
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 29, 2026
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
High
CVE-2026-34084
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 29, 2026
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
High
CVE-2026-24765
was published
for
phpunit/phpunit
(Composer)
Jan 27, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
High
CVE-2026-41570
was published
for
phpunit/phpunit
(Composer)
Apr 18, 2026
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
High
CVE-2026-4208
was published
for
ralffreit/mfa-email
(Composer)
Mar 17, 2026
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
High
CVE-2026-34587
was published
for
getkirby/cms
(Composer)
Apr 23, 2026
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High
CVE-2026-34572
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
High
CVE-2026-41143
was published
for
yeswiki/yeswiki
(Composer)
Apr 18, 2026
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
High
CVE-2026-39971
was published
for
s9y/serendipity
(Composer)
Apr 14, 2026
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
High
CVE-2026-39369
was published
for
WWBN/AVideo
(Composer)
Apr 8, 2026
WWBN AVideo: RCE cause by clonesite plugin
High
CVE-2026-41304
was published
for
wwbn/avideo
(Composer)
Apr 16, 2026
elFinder: Command injection in resize background color parameter when using ImageMagick CLI
High
CVE-2026-41247
was published
for
studio-42/elfinder
(Composer)
Apr 17, 2026
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
High
CVE-2026-41231
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
High
CVE-2026-41230
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
Statamic: Unsafe method invocation via query value resolution allows data destruction
High
CVE-2026-41175
was published
for
statamic/cms
(Composer)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API