GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,610 advisories
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
Critical
CVE-2026-44523
was published
for
github.com/enchant97/note-mark/backend
(Go)
May 7, 2026
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
High
CVE-2026-44522
was published
for
github.com/enchant97/note-mark/backend
(Go)
May 7, 2026
FacturaScripts Vulnerable to Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
Moderate
CVE-2026-42879
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint
Moderate
CVE-2026-42878
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
FacturaScripts vulnerable to stored XSS via product reference in sales/purchases
Moderate
CVE-2026-42877
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation
Low
CVE-2026-27964
was published
for
facturascripts/facturascripts
(Composer)
May 7, 2026
Bandit trusts client-supplied URI scheme on plaintext connections
Moderate
CVE-2026-39807
was published
for
bandit
(Erlang)
May 7, 2026
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
High
CVE-2026-44503
was published
for
Microsoft.Kiota.Abstractions
(Go)
May 7, 2026
Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery
Moderate
GHSA-gpxg-fx2g-qxj2
was published
for
kanidm
(Rust)
May 6, 2026
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Moderate
CVE-2026-44245
was published
for
github.com/kyverno/policy-reporter-ui
(Go)
May 6, 2026
Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass
High
CVE-2026-42551
was published
for
flightphp/core
(Composer)
May 6, 2026
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()
High
CVE-2026-42548
was published
for
flightphp/core
(Composer)
May 6, 2026
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Moderate
CVE-2026-42458
was published
for
openmage/magento-lts
(Composer)
May 6, 2026
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
Moderate
GHSA-gh9p-q46p-57g2
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ
Moderate
GHSA-jrc5-w569-h7h5
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering
Moderate
GHSA-pqh6-8fxf-jx22
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User
Moderate
GHSA-rm98-82fr-mcfx
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS
Moderate
GHSA-whqh-9pq5-c7r3
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization
Moderate
GHSA-f5p7-2c9q-8896
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags
Moderate
GHSA-7cx3-2qx2-3g6w
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check
Moderate
GHSA-hpgw-ww76-c68r
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering
High
GHSA-9525-27vj-c8r8
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
wger: trainer_login open redirect - ?next= parameter not validated against host
Moderate
GHSA-vqv8-j3mj-wjxj
was published
for
wger
(pip)
May 6, 2026
ProTip!
Advisories are also available from the
GraphQL API