GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32 advisories
Filter by severity
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Critical
CVE-2026-50027
was published
for
mcp-memory-service
(pip)
Jul 2, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Critical
GHSA-qxvg-h7q2-hcxh
was published
for
motioneye
(pip)
Jun 23, 2026
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Critical
GHSA-p75f-6fp4-p57w
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
Critical
GHSA-892r-p3jq-jp24
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
Critical
GHSA-x8cv-xmq7-p8xp
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Critical
GHSA-fq2m-6wqh-x44g
was published
for
praisonai
(pip)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
Critical
GHSA-4869-x4pr-q22x
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
Critical
GHSA-x227-pf99-vffg
was published
for
praisonaiagents
(pip)
Jun 18, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Critical
CVE-2026-56266
was published
for
crawl4ai
(pip)
Jun 16, 2026
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
Critical
CVE-2026-47391
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Critical
CVE-2026-47393
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset
Critical
CVE-2026-47396
was published
for
PraisonAI
(pip)
May 29, 2026
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
Critical
CVE-2026-42864
was published
for
firefighter-incident
(pip)
May 5, 2026
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability
Critical
CVE-2026-4810
was published
for
google-adk
(pip)
Apr 13, 2026
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Critical
CVE-2026-40289
was published
for
PraisonAI
(pip)
Apr 10, 2026
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Critical
CVE-2026-39987
was published
for
marimo
(pip)
Apr 8, 2026
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
Critical
CVE-2026-0545
was published
for
mlflow
(pip)
Apr 3, 2026
PraisonAI Has Missing Authentication in WebSocket Gateway
Critical
CVE-2026-34952
was published
for
praisonai
(pip)
Apr 1, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
Keylime Missing Authentication for Critical Function and Improper Authentication
Critical
CVE-2026-1709
was published
for
keylime
(pip)
Feb 6, 2026
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
Critical
CVE-2026-25505
was published
for
bambuddy
(pip)
Feb 2, 2026
BackendAI Missing Authentication for Critical Function
Critical
CVE-2025-49652
was published
for
backend.ai
(pip)
Jun 9, 2025
ProTip!
Advisories are also available from the
GraphQL API