Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,177 advisories

Loading
Sylius: Cart FormComponent allows modification or deletion of an already-completed order Moderate
CVE-2026-53637 was published for sylius/sylius (Composer) Jul 9, 2026
kgonella Credited to kgonella
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize Critical
CVE-2026-52777 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
fg0x0 Credited to fg0x0
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes Moderate
CVE-2026-52774 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` Moderate
CVE-2026-52773 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) Moderate
CVE-2026-52772 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
offset Credited to offset
YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) High
CVE-2026-52771 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters High
CVE-2026-52770 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
sondt99 Credited to sondt99
YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` High
CVE-2026-52769 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
hash3liZer Credited to hash3liZer
hash3liZer Credited to hash3liZer
YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action Critical
CVE-2026-52766 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read Moderate
CVE-2026-52763 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
CosmicCrusader23 Credited to CosmicCrusader23
hash3liZer Credited to hash3liZer and eros938 eros938 eros938
tarryGrain0 Credited to tarryGrain0 and Paul-Bob Paul-Bob Paul-Bob
laravel-backup-restore has an OS Command Injection during database restore High
CVE-2026-53932 was published for wnx/laravel-backup-restore (Composer) Jul 9, 2026
YHalo-wyh Credited to YHalo-wyh
nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate Moderate
CVE-2026-53602 was published for github.com/forgekeep/nebula-mesh (Go) Jul 9, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data Moderate
GHSA-382c-vx95-w3p5 was published for @jsonbored/gittensory-mcp (npm) Jul 9, 2026
homanp Credited to homanp
Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests Moderate
CVE-2026-53760 was published for admidio/admidio (Composer) Jul 9, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview High
GHSA-86vw-x4ww-x467 was published for craftcms/cms (Composer) Jul 9, 2026
q1uf3ng Credited to q1uf3ng
Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read Low
GHSA-c43v-4cr8-6mvp was published for craftcms/cms (Composer) Jul 9, 2026
GCXWLP Credited to GCXWLP
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` High
CVE-2026-53727 was published for css_parser (RubyGems) Jul 9, 2026
JLLeitschuh Credited to JLLeitschuh
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-49485 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small Moderate
CVE-2026-53720 was published for pymonocypher (pip) Jul 9, 2026
hextheshadow Credited to hextheshadow
Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p) High
CVE-2026-50553 was published for github.com/enchant97/note-mark/backend (Go) Jul 9, 2026
tonghuaroot Credited to tonghuaroot, Yunkaiwjs, and enchant97 Yunkaiwjs Yunkaiwjs
enchant97 enchant97
ProTip! Advisories are also available from the GraphQL API