Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

233 advisories

Loading
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
A configuration weakness in the device’s remote management service allows an authenticated... High Unreviewed
CVE-2026-9039 was published May 28, 2026
NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG)... Moderate Unreviewed
CVE-2026-24197 was published May 26, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
phpMyFAQ: Default Empty API Token Authentication Bypass High
CVE-2026-35672 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
guayu-kakeru Credited to guayu-kakeru
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS Moderate
CVE-2026-46430 was published for github.com/xyproto/algernon (Go) May 20, 2026
Dredsen Credited to Dredsen
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Algernon: Single-file mode unconditionally enables debug mode High
CVE-2026-45728 was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses... High Unreviewed
CVE-2026-33376 was published May 13, 2026
Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API... Critical Unreviewed
CVE-2026-30805 was published May 12, 2026
CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could... High Unreviewed
CVE-2026-6866 was published May 12, 2026
Affected devices do not properly restrict access to the web browser via the Control Panel when no... High Unreviewed
CVE-2026-27662 was published May 12, 2026
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution High
CVE-2026-44338 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-cjg8-85gj-v9q2 was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox... Critical Unreviewed
CVE-2026-43581 was published May 6, 2026
HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only.... Low Unreviewed
CVE-2025-31974 was published May 6, 2026
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2... Critical Unreviewed
CVE-2026-39920 was published Apr 24, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when... High Unreviewed
CVE-2026-6043 was published Apr 24, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC... High Unreviewed
CVE-2026-32965 was published Apr 20, 2026
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
CVE-2026-44109 was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database