GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,514 advisories
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
High
CVE-2026-39370
was published
for
WWBN/AVideo
(Composer)
Apr 8, 2026
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
High
CVE-2026-39369
was published
for
WWBN/AVideo
(Composer)
Apr 8, 2026
PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling
High
GHSA-788v-5pfp-93ff
was published
for
pocketmine/pocketmine-mp
(Composer)
Apr 6, 2026
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
High
GHSA-h6rj-3m53-887h
was published
for
pocketmine/pocketmine-mp
(Composer)
Apr 6, 2026
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
High
CVE-2026-35470
was published
for
devcode-it/openstamanager
(Composer)
Apr 3, 2026
OpenSTAManager: SQL Injection via Aggiornamenti Module
High
CVE-2026-35168
was published
for
devcode-it/openstamanager
(Composer)
Apr 3, 2026
phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController
High
CVE-2026-34728
was published
for
phpmyfaq/phpmyfaq
(Composer)
Apr 1, 2026
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High
CVE-2026-34572
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High
CVE-2026-34570
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
High
CVE-2026-34731
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
High
CVE-2026-29782
was published
for
devcode-it/openstamanager
(Composer)
Apr 1, 2026
OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter
High
CVE-2026-28805
was published
for
devcode-it/openstamanager
(Composer)
Apr 1, 2026
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"
High
CVE-2026-34598
was published
for
yeswiki/yeswiki
(Composer)
Apr 1, 2026
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
High
CVE-2026-34394
was published
for
wwbn/avideo
(Composer)
Mar 31, 2026
Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
High
CVE-2026-34381
was published
for
admidio/admidio
(Composer)
Mar 31, 2026
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
High
CVE-2026-30940
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)
High
CVE-2025-32957
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
High
CVE-2026-34375
was published
for
wwbn/avideo
(Composer)
Mar 30, 2026
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
High
GHSA-wprj-9cvc-5w37
was published
for
wwbn/avideo
(Composer)
Mar 29, 2026
ProTip!
Advisories are also available from the
GraphQL API