GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
4,449 advisories
Filter by severity
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
Critical
GHSA-hxpf-9xvq-wph8
was published
for
netlicensing-mcp
(pip)
Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
Critical
CVE-2026-11717
was published
for
github.com/googleapis/mcp-toolbox
(Go)
Jun 18, 2026
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
Critical
CVE-2026-11718
was published
for
github.com/googleapis/mcp-toolbox
(Go)
Jun 18, 2026
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Critical
CVE-2026-54003
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
Critical
CVE-2026-44727
was published
for
jupyter-server
(pip)
Jun 18, 2026
python-statemachine SCXML <data expr> Eval Injection
Critical
CVE-2026-47103
was published
for
python-statemachine
(pip)
Jun 18, 2026
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
Critical
GHSA-cwj8-7gp2-ggcw
was published
for
praisonai-platform
(pip)
Jun 18, 2026
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
Critical
GHSA-f38v-77qj-h4jq
was published
for
praisonai-platform
(pip)
Jun 18, 2026
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
Critical
GHSA-29w3-p9w9-wc47
was published
for
praisonai
(pip)
Jun 18, 2026
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Critical
GHSA-j4f3-55x4-r6q2
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
Critical
GHSA-9752-mhqh-h34f
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Critical
GHSA-p69m-4f92-2v84
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI codeMode sandbox escape via Function constructor
Critical
GHSA-vmmj-pfw7-fjwp
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Critical
GHSA-p75f-6fp4-p57w
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
Critical
GHSA-892r-p3jq-jp24
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
Critical
GHSA-x8cv-xmq7-p8xp
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Critical
GHSA-fq2m-6wqh-x44g
was published
for
praisonai
(pip)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
Critical
GHSA-4869-x4pr-q22x
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
Critical
GHSA-x227-pf99-vffg
was published
for
praisonaiagents
(pip)
Jun 18, 2026
Cotonti: Cross-Site Request Forgery in the administration rights handler
Critical
CVE-2026-55742
was published
for
cotonti/cotonti
(Composer)
Jun 18, 2026
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
Critical
CVE-2026-55518
was published
for
avo
(RubyGems)
Jun 17, 2026
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Critical
CVE-2026-55471
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.utilities
(Maven)
Jun 17, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call
Critical
GHSA-j6c9-qvp8-699f
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API