GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-pj8j-p4g4-4vw8 | CVE-2026-49865 | medium | reviewed | Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs | 2026-07-10 16:04:40 UTC |
| GHSA-pjhx-3c3w-9v23 | CVE-2026-49858 | medium | reviewed | API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate | 2026-07-10 14:32:01 UTC |
| GHSA-mr9r-h354-966r | CVE-2026-53639 | medium | reviewed | Sylius: IDOR on Shop Payment Request API endpoints | 2026-07-09 21:03:51 UTC |
| GHSA-6955-hrm5-c4qp | CVE-2026-53638 | medium | reviewed | Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint | 2026-07-09 21:03:46 UTC |
| GHSA-5597-7rmh-97q5 | CVE-2026-53637 | medium | reviewed | Sylius: Cart FormComponent allows modification or deletion of an already-completed order | 2026-07-09 21:03:41 UTC |
| GHSA-px5m-h76g-p7p8 | CVE-2026-52778 | critical | reviewed | YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service | 2026-07-09 21:03:04 UTC |
| GHSA-9369-69wj-7m2f | CVE-2026-52777 | critical | reviewed | YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize | 2026-07-09 21:02:58 UTC |
| GHSA-4pf7-cc4r-g63h | CVE-2026-52775 | high | reviewed | YesWiki has Authenticated SQL Injection via ReactionManager | 2026-07-09 21:02:40 UTC |
| GHSA-r5xw-gcgw-hwp5 | CVE-2026-52774 | medium | reviewed | YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes | 2026-07-09 21:01:10 UTC |
| GHSA-35f3-pg38-486f | CVE-2026-52773 | medium | reviewed | YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php` | 2026-07-09 21:00:55 UTC |
| GHSA-xc7j-3g8q-9vh4 | CVE-2026-52772 | medium | reviewed | YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html')) | 2026-07-09 21:00:33 UTC |
| GHSA-8f2v-2qhj-gfwg | CVE-2026-52771 | high | reviewed | YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`) | 2026-07-09 21:00:14 UTC |
| GHSA-qg78-vmvc-fhjw | CVE-2026-52770 | high | reviewed | YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters | 2026-07-09 21:00:05 UTC |
| GHSA-vw42-752g-5mrp | CVE-2026-52769 | high | reviewed | YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId` | 2026-07-09 20:58:33 UTC |
| GHSA-mv28-wj57-f57g | CVE-2026-52767 | high | reviewed | YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)` | 2026-07-09 20:58:12 UTC |
| GHSA-6x7x-gcmf-7r8x | CVE-2026-52766 | critical | reviewed | YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action | 2026-07-09 20:57:25 UTC |
| GHSA-89v6-j5x6-cmj3 | CVE-2026-52763 | medium | reviewed | YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read | 2026-07-09 20:54:46 UTC |
| GHSA-65p8-9433-jpcp | CVE-2026-52762 | high | reviewed | YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates | 2026-07-09 20:54:23 UTC |
| GHSA-w9mx-xmg4-gc4r | CVE-2026-53932 | high | reviewed | laravel-backup-restore has an OS Command Injection during database restore | 2026-07-09 20:52:57 UTC |
| GHSA-hm42-q32m-vj4f | CVE-2026-53760 | medium | reviewed | Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests | 2026-07-09 13:44:40 UTC |