Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

170 advisories

Loading
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload Moderate
GHSA-69hx-63pv-f8f4 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation Moderate
GHSA-r2x7-427f-rq69 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure Moderate
GHSA-w8jj-cwmc-wgq2 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass Moderate
GHSA-fwg7-53p4-g33c was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session Moderate
GHSA-hm2h-wwwh-g49x was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API High
CVE-2026-40114 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands Moderate
GHSA-ffp3-3562-8cv3 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint High
GHSA-x462-jjpc-q4q4 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits Moderate
CVE-2026-40148 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution High
GHSA-qwgj-rrpj-75xm was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary Moderate
CVE-2026-40152 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool High
CVE-2026-40153 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS Moderate
CVE-2026-40151 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls High
CVE-2026-40149 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool High
CVE-2026-40150 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate Moderate
CVE-2026-40117 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits High
CVE-2026-40116 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) Moderate
CVE-2026-40112 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller High
CVE-2026-39394 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass High
CVE-2026-39393 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database