Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,585
Maven
5,000+
npm
5,000+
NuGet
923
pip
4,817
Pub
13
RubyGems
1,043
Rust
1,251
Swift
53
Unreviewed advisories
All unreviewed
5,000+

234 advisories

Loading
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution Critical
CVE-2026-41179 was published for github.com/rclone/rclone (Go) Apr 22, 2026
0wnerDied Credited to 0wnerDied and ncw ncw ncw
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI Critical
GHSA-9qhq-v63v-fv3j was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
Paperclip: OS Command Injection via Execution Workspace cleanupCommand Critical
GHSA-vr7g-88fq-vhq3 was published for @paperclipai/server (npm) Apr 16, 2026
YuvalElbar6 Credited to YuvalElbar6
Flowise: Authenticated RCE Via MCP Adapters Critical
CVE-2026-40933 was published for flowise (npm) Apr 16, 2026
MosesOX Credited to MosesOX
aws-mcp has a Command Injection Remote Code Execution Vulnerability Critical
CVE-2026-5059 was published for aws-mcp (pip) Apr 11, 2026
arnewouters Credited to arnewouters
PraisonAI has critical RCE via `type: job` workflow YAML Critical
CVE-2026-40288 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) Critical
CVE-2026-40111 was published for praisonaiagents (pip) Apr 10, 2026
g0w6y Credited to g0w6y
PraisonAI Vulnerable to OS Command Injection Critical
CVE-2026-40088 was published for PraisonAI (pip) Apr 8, 2026
l3tchupkt Credited to l3tchupkt
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step Critical
CVE-2026-35216 was published for @budibase/server (npm) Apr 4, 2026
da7om85 Credited to da7om85
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() Critical
CVE-2026-34935 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
baserCMS has OS command injection vulnerability in installer Critical
CVE-2026-30880 was published for baserproject/basercms (Composer) Mar 31, 2026
baserCMS Update Functionality Vulnerable to OS Command Injection Critical
CVE-2026-30877 was published for baserproject/basercms (Composer) Mar 31, 2026
EricUeda Credited to EricUeda
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE) Critical
CVE-2026-21861 was published for baserproject/basercms (Composer) Mar 31, 2026
kaminuma Credited to kaminuma
Mflow: Command Injection when serving models with enable_mlserver=True Critical
CVE-2026-0596 was published for mflow (pip) Mar 31, 2026
ConnorCallison Credited to ConnorCallison
wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` Critical
CVE-2026-34243 was published for njzjz/wenxian (GitHub Actions) Mar 29, 2026
choseogyeong Credited to choseogyeong
textract is vulnerable to OS Command Injection Critical
CVE-2026-26831 was published for textract (npm) Mar 25, 2026
thumbler allows OS Command Injection Critical
CVE-2026-26833 was published for thumbler (npm) Mar 25, 2026
node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter Critical
CVE-2026-26832 was published for node-tesseract-ocr (npm) Mar 25, 2026
pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter Critical
CVE-2026-26830 was published for pdf-image (npm) Mar 25, 2026
Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow Critical
GHSA-f67f-hcr6-94mf was published for SHAdd0WTAka/Zen-Ai-Pentest (GitHub Actions) Mar 20, 2026
nekros1xx Credited to nekros1xx
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters Critical
CVE-2026-31862 was published for @siteboon/claudecodeui (npm) Mar 11, 2026
toufik-airane Credited to toufik-airane and neo-ai-engineer neo-ai-engineer neo-ai-engineer
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE Critical
CVE-2026-28292 was published for simple-git (npm) Mar 10, 2026
CodeAnt-AI-Security Credited to CodeAnt-AI-Security
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database