GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
90 advisories
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload
Moderate
GHSA-69hx-63pv-f8f4
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation
Moderate
GHSA-r2x7-427f-rq69
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Moderate
GHSA-w8jj-cwmc-wgq2
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
Moderate
GHSA-fwg7-53p4-g33c
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
Moderate
GHSA-hm2h-wwwh-g49x
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
Moderate
CVE-2026-40152
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
Moderate
CVE-2026-40151
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
Moderate
CVE-2026-40117
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
Moderate
CVE-2026-40112
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
Moderate
GHSA-766v-q9x3-g744
was published
for
praisonaiagents
(pip)
Apr 8, 2026
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization
Moderate
CVE-2026-39392
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
Moderate
CVE-2026-39391
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Moderate
CVE-2026-39390
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Moderate
CVE-2026-39844
was published
for
nicegui
(pip)
Apr 8, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Moderate
CVE-2026-39367
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Moderate
CVE-2026-39366
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level
Moderate
GHSA-fcmh-qfxc-w685
was published
for
github.com/cloudnativelabs/kube-router/v2
(Go)
Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Moderate
CVE-2026-35592
was published
for
pyload-ng
(pip)
Apr 8, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
Moderate
CVE-2026-34211
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
ProTip!
Advisories are also available from the
GraphQL API