GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,910 advisories
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Critical
CVE-2026-35459
was published
for
pyload-ng
(pip)
Apr 4, 2026
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Critical
CVE-2026-35216
was published
for
@budibase/server
(npm)
Apr 4, 2026
Mflow: Command Injection when serving models with enable_mlserver=True
Critical
CVE-2026-0596
was published
for
mflow
(pip)
Mar 31, 2026
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
Critical
CVE-2026-35030
was published
for
litellm
(pip)
Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Critical
CVE-2026-35471
was published
for
github.com/patrickhener/goshs
(Go)
Apr 3, 2026
SandboxJS: Sandbox integrity escape
Critical
CVE-2026-34208
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Critical
CVE-2026-33950
was published
for
signalk-server
(npm)
Apr 3, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload
Critical
CVE-2026-35393
was published
for
github.com/patrickhener/goshs
(Go)
Apr 3, 2026
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Critical
CVE-2026-35392
was published
for
github.com/patrickhener/goshs
(Go)
Apr 3, 2026
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Critical
CVE-2026-35039
was published
for
fast-jwt
(npm)
Apr 3, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Critical
CVE-2026-35171
was published
for
kedro
(pip)
Apr 3, 2026
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Critical
GHSA-xg6x-h9c9-2m83
was published
for
better-auth
(npm)
Apr 3, 2026
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
Critical
GHSA-9p3r-hh9g-5cmg
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Critical
GHSA-g5cg-8x5w-7jpm
was published
for
openclaw
(npm)
Apr 2, 2026
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
Critical
CVE-2026-34976
was published
for
github.com/dgraph-io/dgraph
(Go)
Apr 2, 2026
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
Critical
CVE-2026-34950
was published
for
fast-jwt
(npm)
Apr 2, 2026
Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster
Critical
CVE-2026-4370
was published
for
github.com/juju/juju
(Go)
Apr 2, 2026
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
Critical
CVE-2026-34953
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI Has Missing Authentication in WebSocket Gateway
Critical
CVE-2026-34952
was published
for
praisonai
(pip)
Apr 1, 2026
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`
Critical
CVE-2026-34934
was published
for
praisonai
(pip)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API