Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
REDAXO CMS is vulnerable to RCE attack through its template management component
GHSA-xj9j-gjxg-7jvq CVE-2025-64050 HIGH 3 days ago
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to...
packagist
No PRs yet
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
GHSA-2jm2-2p35-rp3j CVE-2025-65103 HIGH 9 days ago
### Summary
An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queri...
packagist
No PRs yet
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
GHSA-fxm2-cmwj-qvx4 CVE-2025-62519 HIGH 12 days ago
### Summary
An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a p...
packagist
No PRs yet
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
GHSA-3rg7-wf37-54rm CVE-2025-64500 HIGH 16 days ago
### Description
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't ...
packagist
No PRs yet
TYPO3 Modules Extension has Improper Authentication vulnerability
GHSA-49qv-h8pm-73pf CVE-2025-12998 HIGH 17 days ago
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5....
packagist
No PRs yet
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
GHSA-4rwr-8c3m-55f6 CVE-2025-64519 HIGH 18 days ago
### Summary
An authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can ...
packagist
No PRs yet
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
GHSA-4v8w-gg5j-ph37 CVE-2025-47776 HIGH 26 days ago
Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpre...
packagist
No PRs yet
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
GHSA-g59r-24g3-h7cm CVE-2025-64112 HIGH 30 days ago
### Impact
Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject maliciou...
packagist
No PRs yet
Drupal Acquia DAM allows Forceful Browsing
GHSA-x957-32v9-m7vg CVE-2025-9954 HIGH about 1 month ago
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing. This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
packagist
No PRs yet
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
GHSA-jqmq-fpwv-p925 CVE-2025-12466 HIGH about 1 month ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypas...
packagist
No PRs yet
Drupal CivicTheme Design System allows Forceful Browsing
GHSA-qxr9-f877-9842 CVE-2025-12082 HIGH about 1 month ago
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing. This issue affects CivicTheme Design System: fro...
packagist
No PRs yet
Moodle vulnerable to brute-force password guesses
GHSA-m58f-9pvv-8mp2 CVE-2025-62399 HIGH about 1 month ago
Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute...
packagist
No PRs yet
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
GHSA-2v5m-cq9w-fc33 CVE-2025-62617 HIGH about 1 month ago
### Summary
An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticate...
packagist
No PRs yet
Magento provides incorrect authorization through a security feature bypass
GHSA-69x9-xp2j-w8g8 CVE-2025-54263 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-2768-5wmv-cfff CVE-2025-54264 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Bagisto is vulnerable to XSS through Admin Panel's product creation path
GHSA-29mf-w486-v3vc CVE-2025-60880 HIGH about 2 months ago
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted...
packagist
No PRs yet
phpMyFAQ duplicate email registration allows multiple accounts with the same email
GHSA-9wj2-4hcm-r74j CVE-2025-59943 HIGH about 2 months ago
### Summary
phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created ...
packagist
No PRs yet
Dolibarr vulnerable to RCE via the computed field parameter
GHSA-27hj-48r9-x2vx CVE-2025-56588 HIGH about 2 months ago
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed...
packagist
No PRs yet
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
GHSA-4j5h-mvj3-m48v CVE-2025-59839 HIGH 2 months ago
### Summary
The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext.
### Details
...
packagist
No PRs yet
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
GHSA-9v82-vcjx-m76j HIGH 3 months ago
### Impact
By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the ...
packagist
No PRs yet
Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
GHSA-vgmm-27fc-vmgp CVE-2025-58449 HIGH 3 months ago
### Summary
In Maho 25.7.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custo...
packagist
No PRs yet
TYPO3 Workspaces Module Information Disclosure
GHSA-w2pf-7q5w-2cgw CVE-2025-59018 HIGH 3 months ago
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0...
packagist
No PRs yet
PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking
GHSA-fqqv-56h5-f57g HIGH 3 months ago
### Summary
A denial-of-service / out-of-memory vulnerability exists in the `STATUS_SEND_PACKS` handling of `ResourcePackClientResponsePacket`.
Po...
packagist
No PRs yet
Badaso CMS file upload vulnerability
GHSA-gqp9-jh35-439m CVE-2025-52353 HIGH 3 months ago
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PH...
packagist
No PRs yet
Adminer PHP Object Injection issue leads to Denial of Service
GHSA-mqh4-2mm8-g7w9 CVE-2025-43960 HIGH 3 months ago
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000...
packagist
No PRs yet
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
GHSA-rx7m-68vc-ppxh CVE-2025-54370 HIGH 3 months ago
**Product:** PhpSpreadsheet
**Version:** 3.8.0
**CWE-ID:** CWE-918: Server-Side Request Forgery (SSRF)
**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/U...
packagist
No PRs yet
UnoPim has Broken Access Control
GHSA-8p2f-fx4q-75cx CVE-2025-55741 HIGH 3 months ago
### Summary
In Unopim, it is possible to create roles and choose the privileges. However, users without the “Delete” privilege for Products cannot ...
packagist
No PRs yet
UnoPim vulnerable to remote code execution through Arbitrary File upload
GHSA-v22v-xwh7-2vrm CVE-2025-55743 HIGH 3 months ago
### Summary:
Affected Functionality: **Image upload at User creation**
Endpoint: `/admin/settings/users/create`
### Details
The image upload at th...
packagist
No PRs yet
Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms
GHSA-vq9x-w82r-rhmc CVE-2025-52392 HIGH 4 months ago
Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can ...
packagist
No PRs yet
Magento Cross-Site Request Forgery (CSRF) vulnerability
GHSA-5777-jj7p-mpqw CVE-2025-49555 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) ...
packagist
No PRs yet
Magento Cross-site Scripting vulnerability
GHSA-8mq8-c243-2335 CVE-2025-49557 HIGH 4 months ago
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting...
packagist
No PRs yet
Magento has incorrect authorization issue that leads to arbitrary file system read
GHSA-7hrj-3c9x-xv5h CVE-2025-49556 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to denial of service
GHSA-xgfm-992v-h2hr CVE-2025-49554 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnera...
packagist
No PRs yet
Bacula-web SQL Injection Vulnerability
GHSA-hq25-vp56-qr86 CVE-2025-45346 HIGH 4 months ago
SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.
packagist
No PRs yet
z-push/z-push-dev SQL Injection Vulnerability
GHSA-w832-w3p8-cw29 CVE-2025-8264 HIGH 4 months ago
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attac...
packagist
No PRs yet
HAX CMS API Lacks Authorization Checks
GHSA-9jr9-8ff3-m894 CVE-2025-54378 HIGH 4 months ago
### Summary
The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CM...
npm
packagist
No PRs yet
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
GHSA-gq96-8w38-hhj2 CVE-2025-54138 HIGH 4 months ago
LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled...
packagist
No PRs yet
Dolibarr has Remote Code Execution Vulnerability (Bypass)
GHSA-49xw-hw94-fmv2 HIGH 4 months ago
# Summary
The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:
 are inserted as ...
packagist
No PRs yet
starcitizentools/citizen-skin is vulnerable to Stored XSS attack in the legacy search bar through page descriptions
GHSA-rq6g-6g94-jfr4 CVE-2025-53368 HIGH 5 months ago
### Summary
Page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar.
### Detail...
packagist
No PRs yet
TabberNeue vulnerable to Stored XSS through wikitext
GHSA-jfj7-249r-7j2m CVE-2025-53093 HIGH 5 months ago
### Summary
Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag.
### Details
The ...
packagist
No PRs yet
raspap-webgui has a Directory Traversal vulnerability
GHSA-277f-37gw-9gmq CVE-2025-44163 HIGH 5 months ago
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST...
packagist
No PRs yet
Drupal Admin Audit Trail Allocation of Resources Without Limits or Throttling vulnerability
GHSA-pwj7-5c7c-mwjc CVE-2025-48448 HIGH 6 months ago
Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation. This issue affects Admi...
packagist
No PRs yet
Drupal Commerce Eurobank (Redirect) Incorrect Authorization vulnerability
GHSA-q9h3-r6wr-p3j3 CVE-2025-48445 HIGH 6 months ago
Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse. This issue affects Commerce Eurobank (Red...
packagist
No PRs yet
Drupal Commerce Alphabank Redirect Incorrect Authorization vulnerability
GHSA-48wx-8736-jgx2 CVE-2025-48446 HIGH 6 months ago
Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse. This issue affects Commerce Alphabank Redi...
packagist
No PRs yet
Magento Improper Authorization leading to security feature bypass
GHSA-r487-9vv5-75gg CVE-2025-43585 HIGH 6 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could re...
packagist
No PRs yet
Hax CMS Stored Cross-Site Scripting vulnerability
GHSA-2vc4-3hx7-v7v7 CVE-2025-49137 HIGH 6 months ago
### Summary
The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and...
packagist
No PRs yet