Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,957 advisories

Loading
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary Moderate
CVE-2026-40152 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS Moderate
CVE-2026-40151 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate Moderate
CVE-2026-40117 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS Moderate
CVE-2026-40115 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) Moderate
CVE-2026-40112 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
justhtml includes multiple security fixes Moderate
GHSA-c9vm-hv86-f23r was published for justhtml (pip) Apr 10, 2026
EmilStenstrom Credited to EmilStenstrom
FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command Moderate
CVE-2026-5972 was published for metagpt (pip) Apr 9, 2026
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/tools/libs/terminal.py Moderate
CVE-2026-5974 was published for metagpt (pip) Apr 9, 2026
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/utils/common.py Moderate
CVE-2026-5973 was published for metagpt (pip) Apr 9, 2026
Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users Moderate
GHSA-9gjv-jvm7-vv2v was published for gramps-webapi (pip) Apr 9, 2026
FoundationAgents MetaGPT vulnerable to eval injection Moderate
CVE-2026-5971 was published for metagpt (pip) Apr 9, 2026
Apache Airflow has an authorization bypass in DagRun wait endpoint Moderate
CVE-2026-34538 was published for apache-airflow (pip) Apr 9, 2026
LangChain has incomplete f-string validation in prompt templates Moderate
CVE-2026-40087 was published for langchain-core (pip) Apr 8, 2026
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs Moderate
CVE-2026-39892 was published for cryptography (pip) Apr 8, 2026
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
pretix: API leaks check-in data between events of the same organizer Moderate
CVE-2026-5600 was published for pretix (pip) Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows Moderate
CVE-2026-39844 was published for nicegui (pip) Apr 8, 2026
offset Credited to offset, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
rfc3161-client Has Improper Certificate Validation Moderate
CVE-2026-33753 was published for rfc3161-client (pip) Apr 8, 2026
Jaynornj Credited to Jaynornj
parisneo/lollms has an insufficient session expiration vulnerability Moderate
CVE-2026-1163 was published for lollms (pip) Apr 8, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions Moderate
CVE-2026-40071 was published for pyload-ng (pip) Apr 8, 2026
komi22 Credited to komi22
lightrag-hku: JWT Algorithm Confusion Vulnerability Moderate
CVE-2026-39413 was published for lightrag-hku (pip) Apr 8, 2026
JWCrypto: JWE ZIP decompression bomb Moderate
CVE-2026-39373 was published for jwcrypto (pip) Apr 8, 2026
hkmj19 Credited to hkmj19
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass Moderate
CVE-2026-35592 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng Moderate
CVE-2026-35586 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
OpenViking contains a missing authorization vulnerability in the task polling endpoints Moderate
CVE-2026-22680 was published for OpenViking (pip) Apr 7, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database