Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

63 advisories

Loading
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API High
CVE-2026-40114 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint High
GHSA-x462-jjpc-q4q4 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution High
GHSA-qwgj-rrpj-75xm was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool High
CVE-2026-40153 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls High
CVE-2026-40149 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool High
CVE-2026-40150 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits High
CVE-2026-40116 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records High
GHSA-wprj-9cvc-5w37 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database