Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,391
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,209 advisories

Loading
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster Critical
CVE-2026-4370 was published for github.com/juju/juju (Go) Apr 2, 2026
hpidcock Credited to hpidcock, tlm, manadart, and wallyworld tlm tlm
manadart manadart wallyworld wallyworld
mcp-handler has a tool response leak across concurrent client sessions ('Race Condition') High
GHSA-w2fm-25vw-vh7f was published for mcp-handler (npm) Apr 1, 2026
EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory High
GHSA-32wq-ppwg-3w4m was published for EnhancedLinq.Async (NuGet) Apr 1, 2026
lodash vulnerable to Code Injection via `_.template` imports key names High
CVE-2026-4800 was published for lodash (npm) Apr 1, 2026
dolevmiz1 Credited to dolevmiz1, bugbunny-research, M0nd0R, UlisesGascon, falsyvalues, jonchurch, threalwinky, and jdalton bugbunny-research bugbunny-research
M0nd0R M0nd0R UlisesGascon UlisesGascon falsyvalues falsyvalues jonchurch jonchurch threalwinky threalwinky jdalton jdalton
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Moderate
CVE-2026-2950 was published for lodash (npm) Apr 1, 2026
Haruna38 Credited to Haruna38, shpik-kr, maru1009, ott3r07, zolbooo, backuardo, falsyvalues, jonchurch, jdalton, and UlisesGascon shpik-kr shpik-kr
maru1009 maru1009 ott3r07 ott3r07 zolbooo zolbooo backuardo backuardo falsyvalues falsyvalues jonchurch jonchurch jdalton jdalton UlisesGascon UlisesGascon
listmonk's active sessions remain valid after password reset and password change High
CVE-2026-34828 was published for github.com/knadh/listmonk (Go) Apr 1, 2026
0xmrma Credited to 0xmrma
NocoBase Has SQL Injection via template variable substitution in workflow SQL node High
CVE-2026-34825 was published for @nocobase/plugin-workflow-sql (npm) Apr 1, 2026
phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation Moderate
CVE-2026-34974 was published for thorsten/phpmyfaq (Composer) Apr 1, 2026
0xmanhnv Credited to 0xmanhnv
phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure Moderate
CVE-2026-34973 was published for thorsten/phpmyfaq (Composer) Apr 1, 2026
athuljayaram Credited to athuljayaram
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
Ferret: Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites High
CVE-2026-34783 was published for github.com/MontFerret/ferret (Go) Apr 1, 2026
DavidCarliez Credited to DavidCarliez
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback Low
CVE-2026-34969 was published for github.com/nhost/nhost (Go) Apr 1, 2026
0xkakash1 Credited to 0xkakash1
PraisonAI Has Authentication Bypass via OAuthManager.validate_token() Critical
CVE-2026-34953 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Missing Authentication in WebSocket Gateway Critical
CVE-2026-34952 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL High
CVE-2026-34954 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox High
CVE-2026-34955 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin Moderate
GHSA-gmpc-fxg2-vcmq was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods High
CVE-2026-34940 was published for github.com/kubeai-project/kubeai (Go) Apr 1, 2026
romain-deperne Credited to romain-deperne
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback High
CVE-2026-34936 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() Moderate
CVE-2026-34939 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads` Critical
CVE-2026-34934 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() Critical
CVE-2026-34935 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution High
CVE-2026-34937 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code Critical
CVE-2026-34938 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database