Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33,218 advisories

Loading
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access Moderate
CVE-2026-52828 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover Critical
CVE-2026-52824 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes Moderate
CVE-2026-52823 was published for kimai/kimai (Composer) Jul 14, 2026
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Moderate
CVE-2026-52820 was published for kimai/kimai (Composer) Jul 13, 2026
offset Credited to offset
offset Credited to offset
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes Moderate
CVE-2026-49992 was published for kimai/kimai (Composer) Jul 13, 2026
Mitchell45 Credited to Mitchell45
0xmrma Credited to 0xmrma
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS High
GHSA-xf7x-x43h-rpqh was published for json-repair (pip) Jul 13, 2026
FacturaScripts: Account takeover of any 2FA-enabled user Critical
CVE-2026-47677 was published for facturascripts/facturascripts (Composer) Jul 13, 2026
janssensjelle Credited to janssensjelle
DIRAC: SQL injection and lack of access control in PilotManager service High
GHSA-7xw9-549r-8jrc was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC: Pilot code downloaded over unverified HTTPS connection High
CVE-2026-61668 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval Critical
CVE-2026-61667 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
Apollo ConfigService access key authentication bypass via raw config file appId parsing High
CVE-2026-59955 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching High
CVE-2026-59954 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
NukeViet: Pre-authentication SSRF via X-Forwarded-Host High
CVE-2026-55372 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function High
CVE-2026-54065 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module High
CVE-2026-54064 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and g03m0n g03m0n g03m0n
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-49259 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
0xGunrunner Credited to 0xGunrunner
NukeViet: Unauthenticated Reflected XSS in Comment Module High
CVE-2026-48118 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and 0xGunrunner 0xGunrunner 0xGunrunner
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input Critical
CVE-2026-45579 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
ProTip! Advisories are also available from the GraphQL API