GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
249 advisories
Filter by severity
nono-py vulnerable to authorization bypass / policy confusion
Moderate
GHSA-9j7f-3r4p-pwh6
was published
for
nono-py
(pip)
Jun 26, 2026
OpenAM Authentication Bypass via MSISDN LDAP Injection
High
CVE-2026-46619
was published
for
org.openidentityplatform.openam:openam-auth-msisdn
(Maven)
Jun 26, 2026
MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies
Moderate
CVE-2026-48509
was published
for
MessagePack
(NuGet)
Jun 25, 2026
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
High
CVE-2026-48502
was published
for
MessagePack
(NuGet)
Jun 25, 2026
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code...
Moderate
Unreviewed
CVE-2026-50519
was published
Jun 19, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
Critical
GHSA-cwj8-7gp2-ggcw
was published
for
praisonai-platform
(pip)
Jun 18, 2026
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
Critical
GHSA-f38v-77qj-h4jq
was published
for
praisonai-platform
(pip)
Jun 18, 2026
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Critical
GHSA-j4f3-55x4-r6q2
was published
for
praisonai
(npm)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin"...
Moderate
Unreviewed
CVE-2026-20265
was published
Jun 17, 2026
In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory...
Low
Unreviewed
CVE-2026-0134
was published
Jun 16, 2026
Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool...
High
Unreviewed
CVE-2026-9262
was published
Jun 16, 2026
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so...
High
Unreviewed
CVE-2026-40994
was published
Jun 11, 2026
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
High
CVE-2026-44892
was published
for
io.netty:netty-codec-http3
(Maven)
Jun 8, 2026
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Critical
CVE-2026-47668
was published
for
dbgate-serve
(npm)
Jun 5, 2026
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Critical
CVE-2026-47393
was published
for
PraisonAI
(pip)
May 29, 2026
A configuration weakness in the device’s remote management service allows an authenticated...
High
Unreviewed
CVE-2026-9039
was published
May 28, 2026
NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG)...
Moderate
Unreviewed
CVE-2026-24197
was published
May 26, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
High
CVE-2026-46517
was published
for
lmdeploy
(pip)
May 21, 2026
phpMyFAQ: Default Empty API Token Authentication Bypass
High
CVE-2026-35672
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 20, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS
Moderate
CVE-2026-46430
was published
for
github.com/xyproto/algernon
(Go)
May 20, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
Algernon: Single-file mode unconditionally enables debug mode
High
CVE-2026-45728
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses...
High
Unreviewed
CVE-2026-33376
was published
May 13, 2026
ProTip!
Advisories are also available from the
GraphQL API