Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

738 advisories

Loading
YLChen-007 Credited to YLChen-007
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection Critical
CVE-2026-52830 was published for fast-mcp-telegram (pip) Jul 2, 2026
DavidCarliez Credited to DavidCarliez
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete Critical
CVE-2026-50027 was published for mcp-memory-service (pip) Jul 2, 2026
EQSTLab Credited to EQSTLab
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
motionEye Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal Critical
GHSA-phv5-334h-mxcw was published for motioneye (pip) Jun 23, 2026
pizza-power Credited to pizza-power and MichaIng MichaIng MichaIng
motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE) Critical
GHSA-qxvg-h7q2-hcxh was published for motioneye (pip) Jun 23, 2026
C4spr0x1A Credited to C4spr0x1A and MichaIng MichaIng MichaIng
motionEye: Authentication possible via password hash Critical
CVE-2026-46488 was published for motioneye (pip) Jun 22, 2026
FireByteApplications Credited to FireByteApplications, 0xLynk, dimashn04, C4spr0x1A, sighnwaive, MichaIng, Marijn0, and zagrim 0xLynk 0xLynk
dimashn04 dimashn04 C4spr0x1A C4spr0x1A sighnwaive sighnwaive MichaIng MichaIng Marijn0 Marijn0 zagrim zagrim
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args Critical
GHSA-r253-r9jw-qg44 was published for crawl4ai (pip) Jun 18, 2026
hoanggxyuuki Credited to hoanggxyuuki
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE Critical
GHSA-2jq4-q6vv-4cp3 was published for crawl4ai (pip) Jun 18, 2026
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction Critical
GHSA-hxpf-9xvq-wph8 was published for netlicensing-mcp (pip) Jun 18, 2026
EQSTLab Credited to EQSTLab
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP Critical
CVE-2026-44727 was published for jupyter-server (pip) Jun 18, 2026
pikaball Credited to pikaball, y011d4, 0xHunSec, Yann-P, and Carreau y011d4 y011d4
0xHunSec 0xHunSec Yann-P Yann-P Carreau Carreau
python-statemachine SCXML <data expr> Eval Injection Critical
CVE-2026-47103 was published for python-statemachine (pip) Jun 18, 2026
wsparks-vc Credited to wsparks-vc and SaiTeja-Erukude SaiTeja-Erukude SaiTeja-Erukude
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery Critical
GHSA-cwj8-7gp2-ggcw was published for praisonai-platform (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard) Critical
GHSA-f38v-77qj-h4jq was published for praisonai-platform (pip) Jun 18, 2026
Yanchon918s Credited to Yanchon918s
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation Critical
GHSA-29w3-p9w9-wc47 was published for praisonai (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints Critical
GHSA-x8cv-xmq7-p8xp was published for praisonaiagents (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication Critical
GHSA-fq2m-6wqh-x44g was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API