GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
584 advisories
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
Critical
CVE-2026-34953
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI Has Missing Authentication in WebSocket Gateway
Critical
CVE-2026-34952
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`
Critical
CVE-2026-34934
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
Critical
CVE-2026-34935
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
Critical
CVE-2026-34938
was published
for
praisonaiagents
(pip)
Apr 1, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Critical
CVE-2026-32871
was published
for
fastmcp
(pip)
Mar 31, 2026
SciTokens is vulnerable to SQL Injection in KeyCache
Critical
CVE-2026-32714
was published
for
scitokens
(pip)
Mar 31, 2026
MLflow Command Injection vulnerability
Critical
CVE-2025-15379
was published
for
mlflow
(pip)
Mar 30, 2026
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Critical
CVE-2026-33992
was published
for
pyload-ng
(pip)
Mar 27, 2026
Langflow has Authenticated Code Execution in Agentic Assistant Validation
Critical
CVE-2026-33873
was published
for
langflow
(pip)
Mar 26, 2026
Langflow has an Arbitrary File Write (RCE) via v2 API
Critical
CVE-2026-33309
was published
for
langflow
(pip)
Mar 19, 2026
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
Critical
CVE-2026-33057
was published
for
mesop
(pip)
Mar 18, 2026
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
Critical
CVE-2026-33054
was published
for
mesop
(pip)
Mar 18, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Critical
CVE-2026-33017
was published
for
langflow
(pip)
Mar 17, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
Authlib JWS JWK Header Injection: Signature Verification Bypass
Critical
CVE-2026-27962
was published
for
authlib
(pip)
Mar 16, 2026
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
Critical
CVE-2026-27825
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
PickleScan has multiple stdlib modules with direct RCE not in blocklist
Critical
GHSA-g38g-8gr9-h9xp
was published
for
picklescan
(pip)
Mar 3, 2026
PickleScan's pkgutil.resolve_name has a universal blocklist bypass
Critical
GHSA-vvpj-8cmc-gx39
was published
for
picklescan
(pip)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API