Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

619 advisories

Loading
ajenti.plugin.core has password bypass when 2FA is activated Critical
CVE-2026-40177 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes Critical
CVE-2026-40525 was published for openviking (pip) Apr 17, 2026
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
excel-mcp-server has a Path Traversal issue Critical
CVE-2026-40576 was published for excel-mcp-server (pip) Apr 14, 2026
hits313 Credited to hits313
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability Critical
CVE-2026-4810 was published for google-adk (pip) Apr 13, 2026
philrollet Credited to philrollet
SQLAlchemy vulnerable to SQL Injection via order_by parameter Critical
CVE-2019-7164 was published for SQLAlchemy (pip) Apr 16, 2019
DEVSOG12 Credited to DEVSOG12
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
Apache Airflow allows code execution through crafted XCom payloads Critical
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI Critical
GHSA-9qhq-v63v-fv3j was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
Sentry: Improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-27197 was published for sentry (pip) Apr 17, 2026
Muhammad-Qasim-Munir Credited to Muhammad-Qasim-Munir
Upsonic: remote code execution vulnerability in its MCP server/task creation functionality Critical
CVE-2026-30625 was published for upsonic (pip) Apr 15, 2026
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen Critical
GHSA-hm2w-vr2p-hq7w was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable Critical
GHSA-2689-5p89-6j3j was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
External Control of File Name or Path in h2oai/h2o-3 Critical
CVE-2023-6569 was published for h2o (pip) Dec 14, 2023
tjuyuxinzhang Credited to tjuyuxinzhang
aws-mcp has a Command Injection Remote Code Execution Vulnerability Critical
CVE-2026-5059 was published for aws-mcp (pip) Apr 11, 2026
arnewouters Credited to arnewouters
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions Critical
CVE-2026-40289 was published for PraisonAI (pip) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI has critical RCE via `type: job` workflow YAML Critical
CVE-2026-40288 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
parisneo/lollms vulnerable to stored XSS in the social feature Critical
CVE-2026-1115 was published for lollms (pip) Apr 10, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
Apache Airflow: JWT token still valid after logout Critical
CVE-2025-57735 was published for apache-airflow (pip) Apr 9, 2026
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack` Critical
CVE-2026-40157 was published for PraisonAI (pip) Apr 10, 2026
Mundi-Xu Credited to Mundi-Xu
PraisonAI Vulnerable Untrusted Remote Template Code Execution Critical
CVE-2026-40154 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) Critical
CVE-2026-40111 was published for praisonaiagents (pip) Apr 10, 2026
g0w6y Credited to g0w6y
PraisonAI Vulnerable to OS Command Injection Critical
CVE-2026-40088 was published for PraisonAI (pip) Apr 8, 2026
l3tchupkt Credited to l3tchupkt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database