GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,208 advisories
Filter by severity
Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access
Moderate
CVE-2026-52828
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
High
CVE-2026-52827
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
Moderate
CVE-2026-52826
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility
Moderate
CVE-2026-52825
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Critical
CVE-2026-52824
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes
Moderate
CVE-2026-52823
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation
Moderate
CVE-2026-52822
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects
Moderate
CVE-2026-52821
was published
for
kimai/kimai
(Composer)
Jul 14, 2026
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Moderate
CVE-2026-52820
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target
Moderate
CVE-2026-52819
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Moderate
CVE-2026-49992
was published
for
kimai/kimai
(Composer)
Jul 13, 2026
FacturaScripts: Account takeover of any 2FA-enabled user
Critical
CVE-2026-47677
was published
for
facturascripts/facturascripts
(Composer)
Jul 13, 2026
NukeViet: Pre-authentication SSRF via X-Forwarded-Host
High
CVE-2026-55372
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function
High
CVE-2026-54065
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
High
CVE-2026-54064
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
High
CVE-2026-49259
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
NukeViet: Unauthenticated Reflected XSS in Comment Module
High
CVE-2026-48118
was published
for
nukeviet/nukeviet
(Composer)
Jul 13, 2026
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Critical
CVE-2026-54159
was published
for
prestashop/ps_facetedsearch
(Composer)
Jul 10, 2026
NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)
High
GHSA-qv4m-m73m-8hj7
was published
for
notrinos/notrinos-erp
(Composer)
Jul 10, 2026
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs
Moderate
CVE-2026-49865
was published
for
kimai/kimai
(Composer)
Jul 10, 2026
API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Moderate
CVE-2026-49858
was published
for
api-platform/core
(Composer)
Jul 10, 2026
Sylius: IDOR on Shop Payment Request API endpoints
Moderate
CVE-2026-53639
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint
Moderate
CVE-2026-53638
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Moderate
CVE-2026-53637
was published
for
sylius/sylius
(Composer)
Jul 9, 2026
YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Critical
CVE-2026-52778
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
ProTip!
Advisories are also available from the
GraphQL API