GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
74 advisories
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Moderate
GHSA-m837-xvxr-vqwg
was published
for
flowise
(npm)
May 20, 2026
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
Moderate
CVE-2026-46431
was published
for
github.com/xyproto/algernon
(Go)
May 20, 2026
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Moderate
GHSA-9v4j-7g44-qcqw
was published
for
github.com/xyproto/algernon
(Go)
May 19, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
High
CVE-2026-34839
was published
for
Glances
(pip)
Apr 21, 2026
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
High
CVE-2026-41056
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Critical
CVE-2026-34449
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 31, 2026
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
Moderate
CVE-2026-34227
was published
for
github.com/bishopfox/sliver
(Go)
Mar 31, 2026
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)
Moderate
CVE-2026-34237
was published
for
io.modelcontextprotocol.sdk:mcp-core
(Maven)
Mar 30, 2026
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
High
CVE-2026-33533
was published
for
Glances
(pip)
Mar 30, 2026
qui CORS Misconfiguration: Arbitrary Origins Trusted
Critical
CVE-2026-30924
was published
for
github.com/autobrr/qui
(Go)
Mar 19, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
High
CVE-2026-33043
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
High
CVE-2026-32610
was published
for
Glances
(pip)
Mar 16, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
ProTip!
Advisories are also available from the
GraphQL API