Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

332 advisories

Loading
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Moderate
CVE-2026-52820 was published for kimai/kimai (Composer) Jul 13, 2026
offset Credited to offset
offset Credited to offset
YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) Moderate
CVE-2026-52772 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
offset Credited to offset
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API Moderate
GHSA-q4rm-m6xh-5pv7 was published for froxlor/froxlor (Composer) Jul 2, 2026
offset Credited to offset
offset Credited to offset
offset Credited to offset
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint Moderate
CVE-2026-41262 was published for github.com/fleetdm/fleet/v4 (Go) Jun 26, 2026
offset Credited to offset
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration Low
CVE-2026-48709 was published for github.com/OliveTin/OliveTin (Go) Jun 24, 2026
offset Credited to offset
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields Moderate
CVE-2026-50179 was published for @actual-app/web (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override High
CVE-2026-54351 was published for @budibase/server (npm) Jun 22, 2026
offset Credited to offset
offset Credited to offset and MatissJanis MatissJanis MatissJanis
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper Moderate
CVE-2026-46672 was published for @actual-app/cli (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data Moderate
CVE-2026-33731 was published for wwbn/avideo (Composer) Jun 22, 2026
offset Credited to offset
offset Credited to offset
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change Low
GHSA-97pr-9hgg-3p8r was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering Moderate
CVE-2026-55847 was published for io.qameta.allure:allure-generator (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read Moderate
CVE-2026-55846 was published for io.qameta.allure:allure-commandline (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL Moderate
CVE-2026-53726 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist Low
CVE-2026-53724 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
parse-server: Server option routeAllowList is bypassable through batch sub-requests Moderate
CVE-2026-50008 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
offset Credited to offset
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API