OSV - Open Source Vulnerabilities

GHSA-vff3-pqq8-4cpq

Packagist/craftcms/commerce

Craft Commerce: Potential IDOR in Commerce carts

10 hours ago

Fix available
Severity - 6.3 (Medium)

GHSA-mj32-r678-7mvp

Packagist/craftcms/commerce

Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

10 hours ago

Fix available
Severity - 1.9 (Low)

GHSA-wj89-2385-gpx3

Packagist/craftcms/commerce

Craft Commerce has stored XSS in Inventory Location Name

10 hours ago

Fix available
Severity - 4.8 (Medium)

GHSA-cfpv-rmpf-f624

Packagist/craftcms/commerce

Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking

10 hours ago

Fix available
Severity - 8.6 (High)

GHSA-pmgj-gmm4-jh6j

Packagist/craftcms/commerce

Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting

10 hours ago

Fix available
Severity - 8.7 (High)

GHSA-mqxf-2998-c6cp

Packagist/craftcms/commerce

Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table

10 hours ago

Fix available

GHSA-j3x5-mghf-xvfw

Packagist/craftcms/commerce

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting

10 hours ago

Fix available
Severity - 8.7 (High)

GHSA-vg3j-hpm9-8v5v

Packagist/craftcms/cms

Craft CMS has a potential information disclosure vulnerability in preview tokens

10 hours ago

Fix available

GHSA-f7pm-6hr8-7ggm

Packagist/web-auth/webauthn-framework
Packagist/web-auth/webauthn-lib
Packagist/web-auth/webauthn-symfony-bundle

Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

yesterday

Fix available
Severity - 5.4 (Medium)

GHSA-3c4m-j3g4-hh25

Packagist/flarum/nicknames

flarum/nicknames extension has display name injection in notification emails (autolink & markdown)

yesterday

Fix available
Severity - 4.6 (Medium)

GHSA-93fx-5qgc-wr38

Packagist/azuracast/azuracast

AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

yesterday

Fix available
Severity - 8.7 (High)

GHSA-7pfv-hr63-h7cw

Packagist/admidio/admidio

Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter

yesterday

Fix available
Severity - 5.3 (Medium)

GHSA-m4q3-832v-44j6

Packagist/wpmetabox/meta-box

Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file

3 days ago

Fix available
Severity - 7.2 (High)

GHSA-6w2r-cfpc-23r5

Packagist/wwbn/avideo

AVideo has Unauthenticated IDOR - Playlist Information Disclosure

4 days ago

Fix available
Severity - 5.5 (Medium)

GHSA-5q8v-j673-m5v4

Packagist/grumpydictator/firefly-iii

Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)

4 days ago

Fix available
Severity - 5.7 (Medium)

GHSA-4v6x-c7xx-hw9f

Packagist/league/commonmark

CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names

4 days ago

Fix available
Severity - 5.1 (Medium)