Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

85 advisories

Loading
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) Critical
CVE-2026-54088 was published for github.com/filebrowser/filebrowser/v2 (Go) Jul 10, 2026
Saku0512 Credited to Saku0512 and hacdias hacdias hacdias
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE Critical
CVE-2026-53649 was published for github.com/BishopFox/joro (Go) Jul 8, 2026
stover-BF Credited to stover-BF
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete Critical
CVE-2026-50027 was published for mcp-memory-service (pip) Jul 2, 2026
EQSTLab Credited to EQSTLab
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE) Critical
GHSA-qxvg-h7q2-hcxh was published for motioneye (pip) Jun 23, 2026
C4spr0x1A Credited to C4spr0x1A and MichaIng MichaIng MichaIng
Tilt: Missing authentication on the network-exposed Tilt HUD server Critical
CVE-2026-55884 was published for github.com/tilt-dev/tilt (Go) Jun 19, 2026
therawdev Credited to therawdev
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests Critical
CVE-2026-48814 was published for network-ai (npm) Jun 19, 2026
SnailSploit Credited to SnailSploit
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call Critical
GHSA-j4f3-55x4-r6q2 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation Critical
GHSA-9752-mhqh-h34f was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints Critical
GHSA-x8cv-xmq7-p8xp was published for praisonaiagents (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication Critical
GHSA-fq2m-6wqh-x44g was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonai: recipe serve auth middleware silently disables itself when no secret is set Critical
GHSA-j4hj-7hfh-g2f4 was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass Critical
GHSA-4869-x4pr-q22x was published for praisonai (pip) Jun 18, 2026
lc13n Credited to lc13n
sour-exploit Credited to sour-exploit
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution Critical
CVE-2026-56266 was published for crawl4ai (pip) Jun 16, 2026
August829 Credited to August829
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution Critical
CVE-2026-47391 was published for PraisonAI (pip) May 29, 2026
foxirain Credited to foxirain
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
beanduan22 Credited to beanduan22
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
ProTip! Advisories are also available from the GraphQL API