GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
13,677 advisories
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
Moderate
CVE-2026-47395
was published
for
PraisonAI
(pip)
May 29, 2026
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
Moderate
CVE-2026-47390
was published
for
PraisonAI
(pip)
May 29, 2026
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
Moderate
CVE-2026-47268
was published
for
github.com/nezhahq/nezha
(Go)
May 29, 2026
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024
Moderate
CVE-2026-47233
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio writes session IDs and auto-login cookie values to application logs
Moderate
CVE-2026-47234
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio PKCS#12 private key export action lacks CSRF protection
Moderate
CVE-2026-47232
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Moderate
CVE-2026-47230
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation
Moderate
CVE-2026-47229
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords
Moderate
CVE-2026-47228
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
Moderate
CVE-2026-47227
was published
for
admidio/admidio
(Composer)
May 29, 2026
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Moderate
CVE-2026-47226
was published
for
admidio/admidio
(Composer)
May 29, 2026
BoxLite has a Timeout Bypass Vulnerability
Moderate
CVE-2026-47213
was published
for
boxlite
(pip)
May 29, 2026
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
Moderate
CVE-2026-47212
was published
for
symfony/symfony
(Composer)
May 29, 2026
Nerdbank.MessagePack has Inefficient CPU Computation
Moderate
GHSA-92vj-hp7m-gwcj
was published
for
Nerdbank.MessagePack
(NuGet)
May 29, 2026
Nerdbank.MessagePack has a memory amplification DoS in collection deserialization
Moderate
GHSA-qjvr-435c-5fjh
was published
for
Nerdbank.MessagePack
(NuGet)
May 29, 2026
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
Moderate
CVE-2026-47122
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta
Moderate
CVE-2026-47121
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
go-git: Malformed Git object data may cause panics or resource exhaustion
Moderate
GHSA-w5pp-99ch-qj29
was published
for
github.com/go-git/go-git/v5
(Go)
May 29, 2026
russh server userauth state is not reset when authentication principal changes
Moderate
CVE-2026-46705
was published
for
russh
(Rust)
May 29, 2026
uv is vulnerable to arbitrary file write through entry point names
Moderate
GHSA-4gg8-gxpx-9rph
was published
for
uv
(pip)
May 29, 2026
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
Moderate
CVE-2026-47248
was published
for
parse-server
(npm)
May 29, 2026
ProTip!
Advisories are also available from the
GraphQL API