Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,449 advisories

Loading
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction Critical
GHSA-hxpf-9xvq-wph8 was published for netlicensing-mcp (pip) Jun 18, 2026
EQSTLab Credited to EQSTLab
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11717 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) Critical
CVE-2026-11718 was published for github.com/googleapis/mcp-toolbox (Go) Jun 18, 2026
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header Critical
CVE-2026-54003 was published for getkirby/cms (Composer) Jun 18, 2026
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP Critical
CVE-2026-44727 was published for jupyter-server (pip) Jun 18, 2026
pikaball Credited to pikaball, y011d4, 0xHunSec, Yann-P, and Carreau y011d4 y011d4
0xHunSec 0xHunSec Yann-P Yann-P Carreau Carreau
python-statemachine SCXML <data expr> Eval Injection Critical
CVE-2026-47103 was published for python-statemachine (pip) Jun 18, 2026
wsparks-vc Credited to wsparks-vc and SaiTeja-Erukude SaiTeja-Erukude SaiTeja-Erukude
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery Critical
GHSA-cwj8-7gp2-ggcw was published for praisonai-platform (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard) Critical
GHSA-f38v-77qj-h4jq was published for praisonai-platform (pip) Jun 18, 2026
Yanchon918s Credited to Yanchon918s
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation Critical
GHSA-29w3-p9w9-wc47 was published for praisonai (pip) Jun 18, 2026
sondt99 Credited to sondt99
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call Critical
GHSA-j4f3-55x4-r6q2 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation Critical
GHSA-9752-mhqh-h34f was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints Critical
GHSA-x8cv-xmq7-p8xp was published for praisonaiagents (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication Critical
GHSA-fq2m-6wqh-x44g was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonai: recipe serve auth middleware silently disables itself when no secret is set Critical
GHSA-j4hj-7hfh-g2f4 was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass Critical
GHSA-4869-x4pr-q22x was published for praisonai (pip) Jun 18, 2026
lc13n Credited to lc13n
sour-exploit Credited to sour-exploit
Cotonti: Cross-Site Request Forgery in the administration rights handler Critical
CVE-2026-55742 was published for cotonti/cotonti (Composer) Jun 18, 2026
xIllunight Credited to xIllunight and Paul-Bob Paul-Bob Paul-Bob
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory Critical
CVE-2026-55471 was published for ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven) Jun 17, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call Critical
GHSA-j6c9-qvp8-699f was published for picklescan (pip) Jun 17, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API