Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

460 advisories

Loading
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47415 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR High
CVE-2026-47417 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47418 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) High
CVE-2026-47414 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks High
CVE-2026-47406 was published for praisonai-platform (pip) May 29, 2026
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID High
CVE-2026-47399 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API High
CVE-2026-48169 was published for praisonai-platform (pip) May 29, 2026
joshuaalwin Credited to joshuaalwin
formie's unauthenticated front-end submission editing can overwrite existing submissions High
CVE-2026-47266 was published for verbb/formie (Composer) May 29, 2026
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders High
CVE-2026-47231 was published for admidio/admidio (Composer) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference... High Unreviewed
CVE-2026-9493 was published May 29, 2026
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18... High Unreviewed
CVE-2026-4868 was published May 27, 2026
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate... High Unreviewed
CVE-2026-38807 was published May 27, 2026
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp... High Unreviewed
CVE-2026-42736 was published May 27, 2026
code100x contains an authentication bypass vulnerability in the Mobile API that allows... High Unreviewed
CVE-2026-8890 was published May 26, 2026
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM)... High Unreviewed
CVE-2026-35430 was published May 26, 2026
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... High Unreviewed
CVE-2026-3473 was published May 26, 2026
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in... High Unreviewed
CVE-2026-8679 was published May 22, 2026
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and... High Unreviewed
CVE-2025-13479 was published May 21, 2026
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action... High Unreviewed
CVE-2026-9136 was published May 20, 2026
phpMyFAQ: IDOR Account Takeover High
CVE-2026-35671 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview... High Unreviewed
CVE-2026-41949 was published May 18, 2026
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with... High Unreviewed
CVE-2026-8629 was published May 14, 2026
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database