Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,129 advisories

Loading
Paymenter has race condition in payWithCredit() that enables credit double-spend Moderate
CVE-2026-55219 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` Moderate
CVE-2026-48808 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters Moderate
CVE-2026-48807 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys Moderate
CVE-2026-48806 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` Low
CVE-2026-48805 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Paymenter has URL parameter injection that bypasses paid plan limits at checkout High
CVE-2026-47198 was published for paymenter/paymenter (Composer) Jun 30, 2026
debibobo Credited to debibobo and CorwinDev CorwinDev CorwinDev
Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors Low
CVE-2026-54244 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Statamic Vulnerable to CSV formula injection in form submission exports Moderate
CVE-2026-54243 was published for statamic/cms (Composer) Jun 26, 2026
kah-ja Credited to kah-ja
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings High
GHSA-7vfx-4246-jcfh was published for solidinvoice/solidinvoice (Composer) Jun 26, 2026
Statamic CMS's unsafe method invocation via collection sorting allows data destruction High
CVE-2026-49287 was published for statamic/cms (Composer) Jun 26, 2026
Eszh Credited to Eszh
Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources Moderate
CVE-2026-49288 was published for statamic/cms (Composer) Jun 26, 2026
offset Credited to offset, Eszh, and geo-chen Eszh Eszh
geo-chen geo-chen
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option Moderate
CVE-2026-49359 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
tonghuaroot Credited to tonghuaroot and endelwar endelwar endelwar
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs Moderate
GHSA-q683-8468-r6h6 was published for web-auth/webauthn-symfony-bundle (Composer) Jun 26, 2026
CakePHP: View::element() is missing a path containment check Moderate
CVE-2026-48820 was published for cakephp/cakephp (Composer) Jun 26, 2026
z3moo Credited to z3moo, get-wright, markstory, and dereuromark get-wright get-wright
markstory markstory dereuromark dereuromark
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system Moderate
GHSA-j7f5-gfqm-pcx3 was published for pterodactyl/panel (Composer) Jun 26, 2026
CybranceeHosting Credited to CybranceeHosting, YoloFTW, and TheCyberDesk YoloFTW YoloFTW
TheCyberDesk TheCyberDesk
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission High
CVE-2026-48505 was published for filament/filament (Composer) Jun 25, 2026
StarPlatinu Credited to StarPlatinu and danharrin danharrin danharrin
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection High
CVE-2026-54329 was published for snipe/snipe-it (Composer) Jun 23, 2026
tahirsercan Credited to tahirsercan
Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL Low
CVE-2026-55542 was published for snipe/snipe-it (Composer) Jun 23, 2026
ProTip! Advisories are also available from the GraphQL API