Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32 advisories

Loading
Missing Authentication for Critical Function in Apache Airflow Critical
CVE-2021-38540 was published for apache-airflow (pip) May 24, 2022
Improper Authentication in Apache Spark Critical
CVE-2020-9480 was published for org.apache.spark:spark-parent_2.11 (Maven) Feb 10, 2022
Rdiffweb is missing authentication for critical function Critical
CVE-2022-3327 was published for rdiffweb (pip) Oct 20, 2022
SaltStack Salt Unauthenticated Remote Code Execution Critical
CVE-2020-11651 was published for salt (pip) May 24, 2022
Jupyter Server Proxy's Websocket Proxying does not require authentication Critical
CVE-2024-28179 was published for jupyter-server-proxy (pip) Mar 20, 2024
yuvipanda Credited to yuvipanda, consideRatio, manics, minrk, krassowski, dlqqq, and eddelbuettel consideRatio consideRatio
manics manics minrk minrk krassowski krassowski dlqqq dlqqq eddelbuettel eddelbuettel
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint Critical
GHSA-c995-4fw3-j39m was published for langflow (pip) Apr 7, 2025 withdrawn
Authentication bypass in Apache Airflow Critical
CVE-2020-13927 was published for apache-airflow (pip) Apr 30, 2021
sunSUNQ Credited to sunSUNQ
BackendAI Missing Authentication for Critical Function Critical
CVE-2025-49652 was published for backend.ai (pip) Jun 9, 2025
Yaminyam Credited to Yaminyam
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah Credited to Speenah
PraisonAI Has Missing Authentication in WebSocket Gateway Critical
CVE-2026-34952 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions Critical
CVE-2026-40289 was published for PraisonAI (pip) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability Critical
CVE-2026-4810 was published for google-adk (pip) Apr 13, 2026
philrollet Credited to philrollet
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass Critical
CVE-2026-39987 was published for marimo (pip) Apr 8, 2026
q1uf3ng Credited to q1uf3ng
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft Critical
CVE-2026-42864 was published for firefighter-incident (pip) May 5, 2026
beanduan22 Credited to beanduan22
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution Critical
CVE-2026-47391 was published for PraisonAI (pip) May 29, 2026
foxirain Credited to foxirain
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Credited to saivarun3407 and Reaper-Legion Reaper-Legion Reaper-Legion
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint Critical
CVE-2026-33017 was published for langflow (pip) Mar 17, 2026
Aviral2642 Credited to Aviral2642, andifilhohub, Jkavia, and srmish-jfrog andifilhohub andifilhohub
Jkavia Jkavia srmish-jfrog srmish-jfrog
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
sour-exploit Credited to sour-exploit
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass Critical
GHSA-4869-x4pr-q22x was published for praisonai (pip) Jun 18, 2026
lc13n Credited to lc13n
praisonai: recipe serve auth middleware silently disables itself when no secret is set Critical
GHSA-j4hj-7hfh-g2f4 was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication Critical
GHSA-fq2m-6wqh-x44g was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API