GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
78 advisories
shopper/framework: Authorization bypass in multiple Livewire admin components
High
GHSA-f946-9qp6-vgch
was published
for
shopper/framework
(Composer)
May 18, 2026
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
Moderate
CVE-2026-45620
was published
for
WWBN/AVideo
(Composer)
May 18, 2026
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
High
CVE-2026-42609
was published
for
getgrav/grav
(Composer)
May 5, 2026
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Moderate
CVE-2026-42202
was published
for
almirhodzic/nova-toggle-5
(Composer)
Apr 24, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Moderate
CVE-2026-34738
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
baserCMS has Mail Form Acceptance Bypass via Public API
Moderate
CVE-2026-30878
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
Moderate
CVE-2026-33162
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
High
CVE-2026-32300
was published
for
opensource-workshop/connect-cms
(Composer)
Mar 23, 2026
Kimai's API invoice endpoint missing customer-level access control (IDOR)
Moderate
CVE-2026-28685
was published
for
kimai/kimai
(Composer)
Mar 4, 2026
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
Moderate
CVE-2026-24421
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jan 23, 2026
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
High
CVE-2025-66301
was published
for
getgrav/grav
(Composer)
Dec 2, 2025
MantisBT unauthorized disclosure of private project column configuration
Moderate
CVE-2025-62520
was published
for
mantisbt/mantisbt
(Composer)
Nov 3, 2025
HAX CMS API Lacks Authorization Checks
High
CVE-2025-54378
was published
for
@haxtheweb/haxcms-nodejs
(Composer)
Jul 25, 2025
Mautic allows Improper Authorization in Reporting API
High
CVE-2024-47053
was published
for
mautic/core
(Composer)
Feb 26, 2025
Improper Authorization vulnerability in Magento and Adobe Commerce
Critical
CVE-2025-24434
was published
for
magento/community-edition
(Composer)
Feb 11, 2025
ProTip!
Advisories are also available from the
GraphQL API