GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
32 advisories
Filter by severity
Missing Authentication for Critical Function in Apache Airflow
Critical
CVE-2021-38540
was published
for
apache-airflow
(pip)
May 24, 2022
Improper Authentication in Apache Spark
Critical
CVE-2020-9480
was published
for
org.apache.spark:spark-parent_2.11
(Maven)
Feb 10, 2022
Rdiffweb is missing authentication for critical function
Critical
CVE-2022-3327
was published
for
rdiffweb
(pip)
Oct 20, 2022
SaltStack Salt Unauthenticated Remote Code Execution
Critical
CVE-2020-11651
was published
for
salt
(pip)
May 24, 2022
Jupyter Server Proxy's Websocket Proxying does not require authentication
Critical
CVE-2024-28179
was published
for
jupyter-server-proxy
(pip)
Mar 20, 2024
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
Critical
GHSA-c995-4fw3-j39m
was published
for
langflow
(pip)
Apr 7, 2025
•
withdrawn
Authentication bypass in Apache Airflow
Critical
CVE-2020-13927
was published
for
apache-airflow
(pip)
Apr 30, 2021
BackendAI Missing Authentication for Critical Function
Critical
CVE-2025-49652
was published
for
backend.ai
(pip)
Jun 9, 2025
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
Critical
CVE-2026-25505
was published
for
bambuddy
(pip)
Feb 2, 2026
PraisonAI Has Missing Authentication in WebSocket Gateway
Critical
CVE-2026-34952
was published
for
praisonai
(pip)
Apr 1, 2026
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
Critical
CVE-2026-0545
was published
for
mlflow
(pip)
Apr 3, 2026
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Critical
CVE-2026-40289
was published
for
PraisonAI
(pip)
Apr 10, 2026
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability
Critical
CVE-2026-4810
was published
for
google-adk
(pip)
Apr 13, 2026
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Critical
CVE-2026-39987
was published
for
marimo
(pip)
Apr 8, 2026
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
Critical
CVE-2026-42864
was published
for
firefighter-incident
(pip)
May 5, 2026
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset
Critical
CVE-2026-47396
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Critical
CVE-2026-47393
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
Critical
CVE-2026-47391
was published
for
PraisonAI
(pip)
May 29, 2026
Keylime Missing Authentication for Critical Function and Improper Authentication
Critical
CVE-2026-1709
was published
for
keylime
(pip)
Feb 6, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
Critical
GHSA-x227-pf99-vffg
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
Critical
GHSA-4869-x4pr-q22x
was published
for
praisonai
(pip)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Critical
GHSA-fq2m-6wqh-x44g
was published
for
praisonai
(pip)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API