GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
253 advisories
Filter by severity
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Critical
CVE-2026-55447
was published
for
langflow
(pip)
Jun 19, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
High
CVE-2026-54317
was published
for
homeassistant
(pip)
Jun 19, 2026
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
High
GHSA-jxcw-qp4h-6jfq
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI Code agent tools fail open without a workspace boundary
High
GHSA-gcq3-mfvh-3x25
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
Critical
GHSA-892r-p3jq-jp24
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
High
GHSA-j7qx-p75m-wp7g
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal
High
GHSA-22cj-m4wf-fv2c
was published
for
praisonai
(pip)
Jun 18, 2026
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Critical
CVE-2026-55450
was published
for
langflow
(pip)
Jun 17, 2026
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Moderate
CVE-2026-53923
was published
for
vllm
(pip)
Jun 17, 2026
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
High
GHSA-f989-c77f-r2cq
was published
for
crawl4ai
(pip)
Jun 16, 2026
yt-dlp: File Downloader cookie leak with curl
Moderate
CVE-2026-50019
was published
for
yt-dlp
(pip)
Jun 16, 2026
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
Moderate
GHSA-pw6j-qg29-8w7f
was published
for
tornado
(pip)
Jun 15, 2026
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
High
CVE-2026-49853
was published
for
tornado
(pip)
Jun 15, 2026
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Moderate
CVE-2026-54276
was published
for
aiohttp
(pip)
Jun 15, 2026
Apache Airflow: Incomplete redaction allowlist exposes secrets in Connection `extra` to read-permitted users
Moderate
CVE-2026-45192
was published
for
apache-airflow
(pip)
Jun 1, 2026
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
High
CVE-2026-47394
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
Moderate
CVE-2026-47395
was published
for
PraisonAI
(pip)
May 29, 2026
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs
Low
CVE-2026-45739
was published
for
strawberry-graphql
(pip)
May 19, 2026
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()
High
CVE-2026-45553
was published
for
nicegui
(pip)
May 18, 2026
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
High
CVE-2026-45539
was published
for
apm
(pip)
May 18, 2026
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
Moderate
CVE-2026-45387
was published
for
open-webui
(pip)
May 14, 2026
Open WebUI Exposes System Prompt to Regular User [Non-Admin]
Moderate
CVE-2026-45351
was published
for
open-webui
(pip)
May 14, 2026
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
High
CVE-2026-43977
was published
for
wger
(pip)
May 14, 2026
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
High
CVE-2026-44431
was published
for
urllib3
(pip)
May 11, 2026
ProTip!
Advisories are also available from the
GraphQL API