Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

253 advisories

Loading
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
Har1sh-k Credited to Har1sh-k
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default High
GHSA-jxcw-qp4h-6jfq was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI Code agent tools fail open without a workspace boundary High
GHSA-gcq3-mfvh-3x25 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation Critical
GHSA-892r-p3jq-jp24 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage High
GHSA-j7qx-p75m-wp7g was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
rexpository Credited to rexpository
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak Critical
CVE-2026-55450 was published for langflow (pip) Jun 17, 2026
vbCrLf Credited to vbCrLf, Jkavia, erichare, AntonioABLima, andifilhohub, and Adam-Aghili Jkavia Jkavia
erichare erichare AntonioABLima AntonioABLima andifilhohub andifilhohub Adam-Aghili Adam-Aghili
Aviral2642 Credited to Aviral2642, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution High
GHSA-f989-c77f-r2cq was published for crawl4ai (pip) Jun 16, 2026
geo-chen Credited to geo-chen
yt-dlp: File Downloader cookie leak with curl Moderate
CVE-2026-50019 was published for yt-dlp (pip) Jun 16, 2026
seproDev Credited to seproDev, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges Moderate
CVE-2026-54276 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
Apache Airflow: Incomplete redaction allowlist exposes secrets in Connection `extra`  to read-permitted users Moderate
CVE-2026-45192 was published for apache-airflow (pip) Jun 1, 2026
beanduan22 Credited to beanduan22
beanduan22 Credited to beanduan22
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text() High
CVE-2026-45553 was published for nicegui (pip) May 18, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga, falkoschindler, h3ri0s, and evnchn falkoschindler falkoschindler
h3ri0s h3ri0s evnchn evnchn
Open WebUI Exposes System Prompt to Regular User [Non-Admin] Moderate
CVE-2026-45351 was published for open-webui (pip) May 14, 2026
shahzaibak96 Credited to shahzaibak96
KadirArslan Credited to KadirArslan
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects High
CVE-2026-44431 was published for urllib3 (pip) May 11, 2026
christos-spearbit Credited to christos-spearbit, illia-v, and sethmlarson illia-v illia-v
sethmlarson sethmlarson
ProTip! Advisories are also available from the GraphQL API