GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,910 advisories
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
Critical
CVE-2026-34938
was published
for
praisonaiagents
(pip)
Apr 1, 2026
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Critical
CVE-2026-34571
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34569
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34568
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34567
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34566
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34565
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34564
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Critical
CVE-2026-34563
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34560
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34559
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
Payload has Unvalidated Input in Password Recovery Endpoints
Critical
CVE-2026-34751
was published
for
@payloadcms/graphql
(npm)
Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34557
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34558
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 1, 2026
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
Critical
GHSA-8rh7-6779-cjqq
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
Critical
GHSA-j7p2-qcwm-94v4
was published
for
openclaw
(npm)
Mar 31, 2026
parse-server has cloud function validator bypass via prototype chain traversal
Critical
CVE-2026-34532
was published
for
parse-server
(npm)
Mar 31, 2026
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Critical
CVE-2026-34449
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 31, 2026
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client
Critical
CVE-2026-34448
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 31, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Critical
CVE-2026-32871
was published
for
fastmcp
(pip)
Mar 31, 2026
SciTokens is vulnerable to SQL Injection in KeyCache
Critical
CVE-2026-32714
was published
for
scitokens
(pip)
Mar 31, 2026
baserCMS Update Functionality Vulnerable to OS Command Injection
Critical
CVE-2026-30877
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)
Critical
CVE-2026-21861
was published
for
baserproject/basercms
(Composer)
Mar 31, 2026
ProTip!
Advisories are also available from the
GraphQL API