Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,618
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

4,618 advisories

Loading
Ajenti has an authorization bypass during custom package installation High
CVE-2026-35175 was published for ajenti-panel (pip) Apr 3, 2026
Thien225409 Credited to Thien225409
Kedro has Arbitrary Code Execution via Malicious Logging Configuration Critical
CVE-2026-35171 was published for kedro (pip) Apr 3, 2026
Wernerina Credited to Wernerina
Kedro: Path Traversal in versioned dataset loading via unsanitized version string High
CVE-2026-35167 was published for kedro (pip) Apr 3, 2026
D-Tale: Remote Code Execution through redis/shelf storage Moderate
CVE-2026-35052 was published for dtale (pip) Apr 3, 2026
QiaoNPC Credited to QiaoNPC
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
PraisonAI Has Authentication Bypass via OAuthManager.validate_token() Critical
CVE-2026-34953 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Missing Authentication in WebSocket Gateway Critical
CVE-2026-34952 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL High
CVE-2026-34954 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox High
CVE-2026-34955 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback High
CVE-2026-34936 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() Moderate
CVE-2026-34939 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads` Critical
CVE-2026-34934 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() Critical
CVE-2026-34935 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution High
CVE-2026-34937 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code Critical
CVE-2026-34938 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode Moderate
CVE-2026-34730 was published for copier (pip) Apr 1, 2026
evipepota Credited to evipepota and sisp sisp sisp
Copier `_subdirectory` allows template root escape via parent-directory traversal Moderate
CVE-2026-34726 was published for copier (pip) Apr 1, 2026
evipepota Credited to evipepota and sisp sisp sisp
Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write High
CVE-2026-34591 was published for poetry (pip) Apr 1, 2026
bekkaze Credited to bekkaze and radoering radoering radoering
AIOHTTP accepts duplicate Host headers Moderate
CVE-2026-34525 was published for aiohttp (pip) Apr 1, 2026
5yu4n Credited to 5yu4n, rodrigobnogueira, and bdraco rodrigobnogueira rodrigobnogueira
bdraco bdraco
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass Low
CVE-2026-34520 was published for aiohttp (pip) Apr 1, 2026
vmfunc Credited to vmfunc, oxqnd, and rodrigobnogueira oxqnd oxqnd
rodrigobnogueira rodrigobnogueira
AIOHTTP has HTTP response splitting via \r in reason phrase Low
CVE-2026-34519 was published for aiohttp (pip) Apr 1, 2026
DHIRAL2908 Credited to DHIRAL2908
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect Low
CVE-2026-34518 was published for aiohttp (pip) Apr 1, 2026
uug4na Credited to uug4na and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS Low
CVE-2026-34517 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows Moderate
CVE-2026-34515 was published for aiohttp (pip) Apr 1, 2026
nvn1729 Credited to nvn1729 and bdraco bdraco bdraco
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database