Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

4,270 advisories

Loading
When Vitest UI server is listening, arbitrary file can be read and executed Critical
CVE-2026-47429 was published for vitest (npm) Jun 1, 2026
sapphi-red Credited to sapphi-red, qispark, joevin-slq-docto, koteswar-k, SaronGrave, and jason-anthropic qispark qispark
joevin-slq-docto joevin-slq-docto koteswar-k koteswar-k SaronGrave SaronGrave jason-anthropic jason-anthropic
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} Critical
CVE-2026-47416 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset Critical
CVE-2026-47410 was published for praisonai-platform (pip) May 29, 2026
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation Critical
CVE-2026-47407 was published for praisonai-platform (pip) May 29, 2026
spbavarva Credited to spbavarva
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution Critical
CVE-2026-47391 was published for PraisonAI (pip) May 29, 2026
foxirain Credited to foxirain
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) Critical
CVE-2026-47392 was published for PraisonAI (pip) May 29, 2026
q1uf3ng Credited to q1uf3ng
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset Critical
CVE-2026-47396 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
stigmem-node's federation peer registration lacked explicit out-of-band approval Critical
GHSA-9vp8-3hmv-8fgh was published for stigmem-node (pip) May 29, 2026
stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation Critical
GHSA-jmfc-hfjq-pxcp was published for stigmem-node (pip) May 29, 2026
stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback Critical
GHSA-fp6w-8wpg-74g5 was published for stigmem-node (pip) May 29, 2026
amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection Critical
CVE-2026-8838 was published for redshift-connector (pip) May 29, 2026
0bi0 Credited to 0bi0
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution Critical
CVE-2026-47140 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva and VladimirEliTokarev VladimirEliTokarev VladimirEliTokarev
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass Critical
CVE-2026-47210 was published for vm2 (npm) May 29, 2026
RealHurrison Credited to RealHurrison
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE Critical
CVE-2026-47137 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 is Vulnerable to Sandbox Breakout Through Promise Species Critical
CVE-2026-47208 was published for vm2 (npm) May 29, 2026
XmiliaH Credited to XmiliaH
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
cookesan Credited to cookesan
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection Critical
CVE-2026-46621 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override Critical
CVE-2026-46562 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
2BCEB1 Credited to 2BCEB1
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
LiquidJS is Vulnerable to Remote Code Execution Critical
CVE-2026-45618 was published for liquidjs (npm) May 27, 2026
c0rydoras Credited to c0rydoras
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` Critical
CVE-2026-44632 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} Critical
CVE-2026-33137 was published for org.xwiki.platform:xwiki-platform-rest-server (Maven) May 26, 2026
odgrso Credited to odgrso
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash Critical
CVE-2026-23734 was published for org.xwiki.commons:xwiki-commons-classloader-api (Maven) May 26, 2026
majkelstick Credited to majkelstick
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron Critical
CVE-2026-46716 was published for github.com/nezhahq/nezha (Go) May 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database