GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
94 advisories
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
Critical
GHSA-9qhq-v63v-fv3j
was published
for
praisonai
(pip)
Apr 17, 2026
aws-mcp has a Command Injection Remote Code Execution Vulnerability
Critical
CVE-2026-5059
was published
for
aws-mcp
(pip)
Apr 11, 2026
PraisonAI has critical RCE via `type: job` workflow YAML
Critical
CVE-2026-40288
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
Critical
CVE-2026-40111
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to OS Command Injection
Critical
CVE-2026-40088
was published
for
PraisonAI
(pip)
Apr 8, 2026
pyLoad: Improper Neutralization of Special Elements used in an OS Command
High
CVE-2026-35463
was published
for
pyload-ng
(pip)
Apr 4, 2026
BentoML: Command Injection in cloud deployment setup script
High
CVE-2026-35043
was published
for
bentoml
(pip)
Apr 3, 2026
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
High
CVE-2026-34955
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
Critical
CVE-2026-34935
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
High
CVE-2026-34937
was published
for
praisonaiagents
(pip)
Apr 1, 2026
FastMCP has a Command Injection vulnerability - Gemini CLI
Moderate
CVE-2025-64340
was published
for
fastmcp
(pip)
Mar 31, 2026
Mflow: Command Injection when serving models with enable_mlserver=True
Critical
CVE-2026-0596
was published
for
mflow
(pip)
Mar 31, 2026
Glances Vulnerable to Command Injection via Dynamic Configuration Values
High
CVE-2026-33641
was published
for
Glances
(pip)
Mar 30, 2026
OpenHands is Vulnerable to Command Injection through its Git Diff Handler
High
CVE-2026-33718
was published
for
openhands
(pip)
Mar 25, 2026
Indico discloses local files resulting in Remote Code Execution through LaTeX injection
High
CVE-2026-33046
was published
for
indico
(pip)
Mar 23, 2026
Intake has a Command Injection via shell() Expansion in Parameter Defaults
High
CVE-2026-33310
was published
for
intake
(pip)
Mar 19, 2026
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
High
CVE-2026-33154
was published
for
dynaconf
(pip)
Mar 18, 2026
Glances has a Command Injection via Process Names in Action Command Templates
High
CVE-2026-32608
was published
for
Glances
(pip)
Mar 16, 2026
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
High
CVE-2026-26331
was published
for
yt-dlp
(pip)
Feb 23, 2026
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
Critical
CVE-2026-25130
was published
for
cai-framework
(pip)
Jan 30, 2026
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
High
CVE-2025-62703
was published
for
fugue
(pip)
Nov 25, 2025
motionEye vulnerable to RCE via unsanitized motion config parameter
High
CVE-2025-60787
was published
for
motioneye
(pip)
Nov 3, 2025
ProTip!
Advisories are also available from the
GraphQL API