GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,867 advisories
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation
Moderate
CVE-2026-34974
was published
for
thorsten/phpmyfaq
(Composer)
Apr 1, 2026
AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin
Moderate
GHSA-gmpc-fxg2-vcmq
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()
Moderate
CVE-2026-34729
was published
for
phpmyfaq/phpmyfaq
(Composer)
Apr 1, 2026
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Critical
CVE-2026-34571
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34569
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34568
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34567
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34566
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34565
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34564
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Critical
CVE-2026-34563
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Moderate
CVE-2026-34562
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Moderate
CVE-2026-34561
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34560
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34559
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Moderate
CVE-2026-34739
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Moderate
CVE-2026-34716
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities
Moderate
GHSA-5724-x3rh-5qqq
was published
for
yeswiki/yeswiki
(Composer)
Apr 1, 2026
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"
High
CVE-2026-34598
was published
for
yeswiki/yeswiki
(Composer)
Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34557
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34558
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Moderate
CVE-2026-34396
was published
for
wwbn/avideo
(Composer)
Mar 31, 2026
ProTip!
Advisories are also available from the
GraphQL API