Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,489
Maven
5,000+
npm
5,000+
NuGet
892
pip
4,745
Pub
13
RubyGems
1,033
Rust
1,228
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,852 advisories

Loading
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool High
CVE-2026-40150 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate Moderate
CVE-2026-40117 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS Moderate
CVE-2026-40115 was published for PraisonAI (pip) Apr 10, 2026
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits High
CVE-2026-40116 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars High
CVE-2026-40113 was published for PraisonAI (pip) Apr 10, 2026
aswinastro Credited to aswinastro and g0w6y g0w6y g0w6y
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) Moderate
CVE-2026-40112 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) Critical
CVE-2026-40111 was published for praisonaiagents (pip) Apr 10, 2026
g0w6y Credited to g0w6y
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Importing a crafted backup leads to project restriction bypass Critical
CVE-2026-34178 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Critical
CVE-2026-34179 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
justhtml includes multiple security fixes Moderate
GHSA-c9vm-hv86-f23r was published for justhtml (pip) Apr 10, 2026
EmilStenstrom Credited to EmilStenstrom
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout Moderate
CVE-2026-34481 was published for org.apache.logging.log4j:log4j-layout-template-json (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-34479 was published for org.apache.logging.log4j:log4j-1.2-api (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-40021 was published for log4net (NuGet) Apr 10, 2026
FreeAndNil Credited to FreeAndNil
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-34480 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration Moderate
CVE-2026-34477 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility Moderate
CVE-2026-34478 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service Moderate
CVE-2026-40074 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass High
CVE-2026-40073 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource Moderate
CVE-2026-39961 was published for github.com/aiven/aiven-operator (Go) Apr 10, 2026
AndresAIFR Credited to AndresAIFR
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds Moderate
CVE-2026-40103 was published for code.vikunja.io/api (Go) Apr 10, 2026
alecclyde Credited to alecclyde
@vitejs/plugin-rsc has a Denial of Service with React Server Components High
GHSA-v457-wxvj-p9w9 was published for @vitejs/plugin-rsc (npm) Apr 10, 2026
Next.js has a Denial of Service with Server Components High
GHSA-q4gf-8mx6-v5v3 was published for next (npm) Apr 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database