Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,208 advisories

Loading
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access Moderate
CVE-2026-52828 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP High
CVE-2026-52827 was published for kimai/kimai (Composer) Jul 14, 2026
shafiqaimanx Credited to shafiqaimanx
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover Critical
CVE-2026-52824 was published for kimai/kimai (Composer) Jul 14, 2026
AzureADTrent Credited to AzureADTrent
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes Moderate
CVE-2026-52823 was published for kimai/kimai (Composer) Jul 14, 2026
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Mitchell45 Credited to Mitchell45
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Moderate
CVE-2026-52820 was published for kimai/kimai (Composer) Jul 13, 2026
offset Credited to offset
offset Credited to offset
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes Moderate
CVE-2026-49992 was published for kimai/kimai (Composer) Jul 13, 2026
Mitchell45 Credited to Mitchell45
FacturaScripts: Account takeover of any 2FA-enabled user Critical
CVE-2026-47677 was published for facturascripts/facturascripts (Composer) Jul 13, 2026
janssensjelle Credited to janssensjelle
NukeViet: Pre-authentication SSRF via X-Forwarded-Host High
CVE-2026-55372 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function High
CVE-2026-54065 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
g03m0n Credited to g03m0n and hoaquynhtim99 hoaquynhtim99 hoaquynhtim99
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module High
CVE-2026-54064 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and g03m0n g03m0n g03m0n
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-49259 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
0xGunrunner Credited to 0xGunrunner
NukeViet: Unauthenticated Reflected XSS in Comment Module High
CVE-2026-48118 was published for nukeviet/nukeviet (Composer) Jul 13, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and 0xGunrunner 0xGunrunner 0xGunrunner
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE Critical
CVE-2026-54159 was published for prestashop/ps_facetedsearch (Composer) Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file) High
GHSA-qv4m-m73m-8hj7 was published for notrinos/notrinos-erp (Composer) Jul 10, 2026
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs Moderate
CVE-2026-49865 was published for kimai/kimai (Composer) Jul 10, 2026
Mitchell45 Credited to Mitchell45
tillmon Credited to tillmon and soyuka soyuka soyuka
Sylius: IDOR on Shop Payment Request API endpoints Moderate
CVE-2026-53639 was published for sylius/sylius (Composer) Jul 9, 2026
baradika Credited to baradika
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint Moderate
CVE-2026-53638 was published for sylius/sylius (Composer) Jul 9, 2026
FredrikEV Credited to FredrikEV
Sylius: Cart FormComponent allows modification or deletion of an already-completed order Moderate
CVE-2026-53637 was published for sylius/sylius (Composer) Jul 9, 2026
kgonella Credited to kgonella
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service Critical
CVE-2026-52778 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
N0tFix3d Credited to N0tFix3d
ProTip! Advisories are also available from the GraphQL API