Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,615 advisories

Loading
PraisonAI Vulnerable to OS Command Injection Critical
GHSA-2763-cj5r-c79m was published for PraisonAI (pip) Apr 8, 2026
l3tchupkt Credited to l3tchupkt
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
GHSA-68m9-983m-f3v5 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
LangChain has incomplete f-string validation in prompt templates Moderate
GHSA-926x-3r5x-gfhw was published for langchain-core (pip) Apr 8, 2026
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass Critical
GHSA-2679-6mx9-h9xc was published for marimo (pip) Apr 8, 2026
q1uf3ng Credited to q1uf3ng
Pretext: Algorithmic Complexity (DoS) in the text analysis phase High
GHSA-5478-66c3-rhxr was published for @chenglou/pretext (npm) Apr 8, 2026
NapongiZero Credited to NapongiZero
basic-ftp has FTP Command Injection via CRLF High
GHSA-chqc-8p9q-pq6q was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
AGiXT Vulnerable to Path Traversal in safe_join() High
GHSA-5gfj-64gh-mgmw was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
Laravel Passport: TokenGuard Authenticates Unrelated User for Client Credentials Tokens High
GHSA-349c-2h2f-mxf6 was published for laravel/passport (Composer) Apr 8, 2026
pushpak1300 Credited to pushpak1300
n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode High
GHSA-4ggg-h7ph-26qr was published for n8n-mcp (npm) Apr 8, 2026
ibrahmsql Credited to ibrahmsql
mercure has Topic Selector Cache Key Collision High
GHSA-hwr4-mq23-wcv5 was published for github.com/dunglas/mercure (Go) Apr 8, 2026
dunglas Credited to dunglas
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service High
GHSA-xrw6-gwf8-vvr9 was published for Tmds.DBus (NuGet) Apr 8, 2026
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs Moderate
CVE-2026-39892 was published for cryptography (pip) Apr 8, 2026
monetr: Protected Transactions Deletable via PUT Moderate
CVE-2026-39901 was published for github.com/monetr/monetr (Go) Apr 8, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, th3fallen, and elliotcourant Across-Verticals-Malaysia Across-Verticals-Malaysia
th3fallen th3fallen elliotcourant elliotcourant
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications High
CVE-2026-39885 was published for @frontmcp/adapters (npm) Apr 8, 2026
TharVid Credited to TharVid and frontegg-david frontegg-david frontegg-david
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies Moderate
CVE-2026-39882 was published for go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp (Go) Apr 8, 2026
1seal Credited to 1seal and pellared pellared pellared
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode) Critical
CVE-2026-39888 was published for praisonaiagents (pip) Apr 8, 2026
dorjoos Credited to dorjoos
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading Critical
CVE-2026-39890 was published for praisonai (pip) Apr 8, 2026
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database