GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
10 advisories
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Critical
CVE-2026-42596
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
High
CVE-2026-42221
was published
for
github.com/0xJacky/Nginx-UI
(Go)
May 6, 2026
goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
High
CVE-2026-40885
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation
Moderate
CVE-2026-40883
was published
for
github.com/patrickhener/goshs/v2
(Go)
Apr 14, 2026
goshs has an empty-username SFTP password authentication bypass
Critical
CVE-2026-40884
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
SFTP root escape via prefix-based path validation in goshs
High
CVE-2026-40876
was published
for
github.com/patrickhener/goshs
(Go)
Apr 14, 2026
goshs has a file-based ACL authorization bypass in goshs state-changing routes
Critical
CVE-2026-40189
was published
for
github.com/patrickhener/goshs
(Go)
Apr 10, 2026
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Critical
CVE-2026-40289
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI recipe registry publish path traversal allows out-of-root file write
High
CVE-2026-39308
was published
for
PraisonAI
(pip)
Apr 6, 2026
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
High
CVE-2026-39306
was published
for
PraisonAI
(pip)
Apr 6, 2026
ProTip!
Advisories are also available from the
GraphQL API