Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

60 advisories

Loading
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
HAXcms: Private Key Disclosure via Broken HMAC Implementation Critical
CVE-2026-46395 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
shreyas-challa Credited to shreyas-challa
Strapi may leak sensitive data via relational filtering due to lack of query sanitization Critical
CVE-2026-27886 was published for @strapi/strapi (npm) May 14, 2026
WildWestCyberSecurity Credited to WildWestCyberSecurity, innerdvations, derrickmehaffy, nclsndr, and Bassel17 innerdvations innerdvations
derrickmehaffy derrickmehaffy nclsndr nclsndr Bassel17 Bassel17
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) Critical
CVE-2026-45091 was published for io.github.davidalmeidac:sealed-env-core (Maven) May 12, 2026
davidalmeidac Credited to davidalmeidac
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction Critical
CVE-2026-42880 was published for github.com/argoproj/argo-cd/v3 (Go) May 7, 2026
hoang-prod Credited to hoang-prod
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars Critical
CVE-2026-41492 was published for github.com/dgraph-io/dgraph (Go) Apr 24, 2026
MaherAzzouzi Credited to MaherAzzouzi
komi22 Credited to komi22
Pyroscope Exposes Storage Secret Critical
CVE-2025-41118 was published for github.com/grafana/pyroscope (Go) Apr 15, 2026
HAPI FHIR HTTP authentication leak in redirects Critical
CVE-2026-33180 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Mar 18, 2026
ElliotSilver Credited to ElliotSilver
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service Critical
CVE-2026-32938 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 17, 2026
TCOTC Credited to TCOTC, YuxinZhaozyx, and 88250 YuxinZhaozyx YuxinZhaozyx
88250 88250
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` Critical
CVE-2026-32633 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
Rancher doesn't properly sanitize credentials in cluster template answers Critical
CVE-2021-36783 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Known affected by Account Takeover via Password Reset Token Leakage Critical
CVE-2026-26273 was published for idno/known (Composer) Feb 13, 2026
IamLeandrooooo Credited to IamLeandrooooo
Argo CD's Project API Token Exposes Repository Credentials Critical
CVE-2025-55190 was published for github.com/argoproj/argo-cd/v2 (Go) Sep 4, 2025
ntammineni5 Credited to ntammineni5, 34fathombelow, alexmt, todaywasawesome, jannfis, crenshaw-dev, and svghadi 34fathombelow 34fathombelow
alexmt alexmt todaywasawesome todaywasawesome jannfis jannfis crenshaw-dev crenshaw-dev svghadi svghadi
Valtimo scripting engine can be used to gain access to sensitive data or resources Critical
CVE-2025-58059 was published for com.ritense.valtimo:core (Maven) Aug 28, 2025
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token Critical
CVE-2025-53624 was published for docusaurus-plugin-content-gists (npm) Jul 9, 2025
webbertakken Credited to webbertakken
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) Critical
CVE-2024-34711 was published for org.geoserver.main:gs-main (Maven) Jun 10, 2025
lemauanhphong Credited to lemauanhphong and jodygarnett jodygarnett jodygarnett
ProTip! Advisories are also available from the GraphQL API