Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

27 advisories

Loading
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
YesWiki has Authenticated SQL Injection via ReactionManager High
CVE-2026-52775 was published for yeswiki/yeswiki (Composer) Jul 9, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query High
CVE-2026-44840 was published for github.com/dgraph-io/dgraph/v25 (Go) Jun 29, 2026
SnailSploit Credited to SnailSploit
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards High
GHSA-985r-q3qp-299h was published for phpmyfaq/phpmyfaq (Composer) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests Critical
CVE-2026-48814 was published for network-ai (npm) Jun 19, 2026
SnailSploit Credited to SnailSploit
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery Critical
GHSA-cwj8-7gp2-ggcw was published for praisonai-platform (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication Critical
GHSA-fq2m-6wqh-x44g was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonai: recipe serve auth middleware silently disables itself when no secret is set Critical
GHSA-j4hj-7hfh-g2f4 was published for praisonai (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS High
GHSA-vxgj-xg5c-p4h7 was published for praisonaiagents (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder Moderate
GHSA-pv2j-rghr-v5r9 was published for praisonaiagents (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router Moderate
CVE-2026-54236 was published for vllm (pip) Jun 17, 2026
SnailSploit Credited to SnailSploit and jperezdealgaba jperezdealgaba jperezdealgaba
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
SnailSploit Credited to SnailSploit
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit, perryn, evansalter, and canderson-activatecare perryn perryn
evansalter evansalter canderson-activatecare canderson-activatecare
SnailSploit Credited to SnailSploit
slack-go `SecretsVerifier` accepts empty signing secret without precondition Moderate
GHSA-gxhx-2686-5h9g was published for github.com/slack-go/slack (Go) May 14, 2026
SnailSploit Credited to SnailSploit and massif-01 massif-01 massif-01
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
DDEV has ZipSlip path traversal in tar and zip archive extraction Moderate
CVE-2026-32885 was published for github.com/ddev/ddev (Go) Apr 22, 2026
SnailSploit Credited to SnailSploit
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() Moderate
CVE-2026-33693 was published for activitypub_federation (Rust) Mar 25, 2026
SnailSploit Credited to SnailSploit
ProTip! Advisories are also available from the GraphQL API