GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
85 advisories
Filter by severity
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Critical
CVE-2026-54088
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jul 10, 2026
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Critical
CVE-2026-53649
was published
for
github.com/BishopFox/joro
(Go)
Jul 8, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Critical
CVE-2026-50027
was published
for
mcp-memory-service
(pip)
Jul 2, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Critical
CVE-2026-56266
was published
for
crawl4ai
(pip)
Jun 16, 2026
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)
Critical
GHSA-qxvg-h7q2-hcxh
was published
for
motioneye
(pip)
Jun 23, 2026
Tilt: Missing authentication on the network-exposed Tilt HUD server
Critical
CVE-2026-55884
was published
for
github.com/tilt-dev/tilt
(Go)
Jun 19, 2026
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Critical
CVE-2026-48814
was published
for
network-ai
(npm)
Jun 19, 2026
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Critical
GHSA-j4f3-55x4-r6q2
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
Critical
GHSA-9752-mhqh-h34f
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Critical
GHSA-p75f-6fp4-p57w
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
Critical
GHSA-892r-p3jq-jp24
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
Critical
GHSA-x8cv-xmq7-p8xp
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Critical
GHSA-fq2m-6wqh-x44g
was published
for
praisonai
(pip)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
Critical
GHSA-4869-x4pr-q22x
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
Critical
GHSA-x227-pf99-vffg
was published
for
praisonaiagents
(pip)
Jun 18, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Critical
CVE-2026-49980
was published
for
github.com/rclone/rclone
(Go)
Jun 16, 2026
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Critical
CVE-2026-42074
was published
for
openclaude
(npm)
May 12, 2026
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
Critical
CVE-2026-44211
was published
for
cline
(npm)
May 8, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
ProTip!
Advisories are also available from the
GraphQL API