Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

22 advisories

Loading
Basic auth bypass in esphome High
CVE-2021-41104 was published for esphome (pip) Sep 29, 2021
andir Credited to andir
Improper Authentication in FreeTAKServer High
CVE-2022-25508 was published for FreeTAKServer (pip) Mar 12, 2022
Openstack Aodh can be used to launder Keystone trusts High
CVE-2017-12440 was published for aodh (pip) May 13, 2022
GramAddict bot uses dependency with reverse tcp backdoor High
CVE-2020-36245 was published for GramAddict (pip) May 24, 2022
Mage-ai missing user authentication High
CVE-2023-31143 was published for mage-ai (pip) May 5, 2023
RPyC's missing security check results in code execution when using numpy.array on the server-side. High
CVE-2024-27758 was published for rpyc (pip) Mar 6, 2024
renbou Credited to renbou and comrumino comrumino comrumino
Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint High
CVE-2024-8053 was published for open-webui (pip) Mar 20, 2025
Langflow Missing Authentication on Critical API Endpoints High
CVE-2026-21445 was published for langflow (pip) Jan 2, 2026
kj84park Credited to kj84park and juh0ng juh0ng juh0ng
Unauthenticated remote shutdown in nltk.app.wordnet_app High
CVE-2026-33231 was published for nltk (pip) Mar 19, 2026
leduckhuong Credited to leduckhuong and v-kondratenko v-kondratenko v-kondratenko
strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol High
CVE-2026-35523 was published for strawberry-graphql (pip) Apr 6, 2026
bellini666 Credited to bellini666, patrick91, katzj, and WesR patrick91 patrick91
katzj katzj WesR WesR
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls High
CVE-2026-40149 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense High
GHSA-52cq-7v8r-62c6 was published for gmaps-mcp (pip) May 8, 2026
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution High
CVE-2026-44338 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
mem0 server lacks authentication and authorization controls for its memory management API endpoints High
CVE-2026-31240 was published for mem0ai (pip) May 12, 2026
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
CVE-2026-48989 was published for windows-mcp (pip) May 21, 2026
Hermes Agent contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation High
CVE-2026-53869 was published for hermes-agent (pip) Jun 17, 2026
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools High
GHSA-vmf9-xx9w-86wx was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard High
GHSA-5qw8-f2g9-ff29 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing High
GHSA-fc26-m9pf-v56q was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default High
GHSA-jxcw-qp4h-6jfq was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN High
CVE-2026-54317 was published for homeassistant (pip) Jun 19, 2026
Har1sh-k Credited to Har1sh-k
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database