GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
27 advisories
Filter by severity
Excon does not redact additional sensitive/risky headers when following redirects
Moderate
CVE-2026-54171
was published
for
excon
(RubyGems)
Jul 10, 2026
YesWiki has Authenticated SQL Injection via ReactionManager
High
CVE-2026-52775
was published
for
yeswiki/yeswiki
(Composer)
Jul 9, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
High
CVE-2026-44840
was published
for
github.com/dgraph-io/dgraph/v25
(Go)
Jun 29, 2026
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards
High
GHSA-985r-q3qp-299h
was published
for
phpmyfaq/phpmyfaq
(Composer)
Jun 26, 2026
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Moderate
CVE-2026-48782
was published
for
pydantic-ai
(pip)
Jun 26, 2026
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Critical
CVE-2026-48814
was published
for
network-ai
(npm)
Jun 19, 2026
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
Critical
GHSA-cwj8-7gp2-ggcw
was published
for
praisonai-platform
(pip)
Jun 18, 2026
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Critical
GHSA-fq2m-6wqh-x44g
was published
for
praisonai
(pip)
Jun 18, 2026
praisonai: recipe serve auth middleware silently disables itself when no secret is set
Critical
GHSA-j4hj-7hfh-g2f4
was published
for
praisonai
(pip)
Jun 18, 2026
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
High
GHSA-vxgj-xg5c-p4h7
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder
Moderate
GHSA-pv2j-rghr-v5r9
was published
for
praisonaiagents
(pip)
Jun 18, 2026
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Moderate
CVE-2026-54236
was published
for
vllm
(pip)
Jun 17, 2026
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
High
CVE-2026-49853
was published
for
tornado
(pip)
Jun 15, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Critical
CVE-2026-47393
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
High
CVE-2026-47398
was published
for
PraisonAI
(pip)
May 29, 2026
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
High
CVE-2026-45363
was published
for
jwt
(RubyGems)
May 18, 2026
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
Moderate
CVE-2026-45620
was published
for
WWBN/AVideo
(Composer)
May 18, 2026
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
Moderate
CVE-2026-45619
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
slack-go `SecretsVerifier` accepts empty signing secret without precondition
Moderate
GHSA-gxhx-2686-5h9g
was published
for
github.com/slack-go/slack
(Go)
May 14, 2026
sse-channel: SSE Injection via unsanitized event fields
Moderate
CVE-2026-44217
was published
for
sse-channel
(npm)
May 5, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
High
CVE-2026-43884
was published
for
wwbn/avideo
(Composer)
May 5, 2026
DDEV has ZipSlip path traversal in tar and zip archive extraction
Moderate
CVE-2026-32885
was published
for
github.com/ddev/ddev
(Go)
Apr 22, 2026
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Moderate
CVE-2026-33693
was published
for
activitypub_federation
(Rust)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API