Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

619 advisories

Loading
Sentry's improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-42354 was published for sentry (pip) Apr 30, 2026
jaydns Credited to jaydns
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection Critical
CVE-2026-41497 was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes Critical
CVE-2026-40525 was published for openviking (pip) Apr 17, 2026
Sentry: Improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-27197 was published for sentry (pip) Apr 17, 2026
Muhammad-Qasim-Munir Credited to Muhammad-Qasim-Munir
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen Critical
GHSA-hm2w-vr2p-hq7w was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable Critical
GHSA-2689-5p89-6j3j was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
Upsonic: remote code execution vulnerability in its MCP server/task creation functionality Critical
CVE-2026-30625 was published for upsonic (pip) Apr 15, 2026
excel-mcp-server has a Path Traversal issue Critical
CVE-2026-40576 was published for excel-mcp-server (pip) Apr 14, 2026
hits313 Credited to hits313
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability Critical
CVE-2026-4810 was published for google-adk (pip) Apr 13, 2026
philrollet Credited to philrollet
aws-mcp has a Command Injection Remote Code Execution Vulnerability Critical
CVE-2026-5059 was published for aws-mcp (pip) Apr 11, 2026
arnewouters Credited to arnewouters
gramps-webapi: Zip Slip Path Traversal in Media Archive Import Critical
CVE-2026-40258 was published for gramps-webapi (pip) Apr 10, 2026
srisowmya2000 Credited to srisowmya2000
ajenti.plugin.core has password bypass when 2FA is activated Critical
CVE-2026-40177 was published for ajenti.plugin.core (pip) Apr 10, 2026
hansmach1ne Credited to hansmach1ne
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions Critical
CVE-2026-40289 was published for PraisonAI (pip) Apr 10, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI has critical RCE via `type: job` workflow YAML Critical
CVE-2026-40288 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack` Critical
CVE-2026-40157 was published for PraisonAI (pip) Apr 10, 2026
Mundi-Xu Credited to Mundi-Xu
PraisonAI Vulnerable Untrusted Remote Template Code Execution Critical
CVE-2026-40154 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) Critical
CVE-2026-40111 was published for praisonaiagents (pip) Apr 10, 2026
g0w6y Credited to g0w6y
parisneo/lollms vulnerable to stored XSS in the social feature Critical
CVE-2026-1115 was published for lollms (pip) Apr 10, 2026
Apache Airflow: JWT token still valid after logout Critical
CVE-2025-57735 was published for apache-airflow (pip) Apr 9, 2026
PraisonAI Vulnerable to OS Command Injection Critical
CVE-2026-40088 was published for PraisonAI (pip) Apr 8, 2026
l3tchupkt Credited to l3tchupkt
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass Critical
CVE-2026-39987 was published for marimo (pip) Apr 8, 2026
q1uf3ng Credited to q1uf3ng
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode) Critical
CVE-2026-39888 was published for praisonaiagents (pip) Apr 8, 2026
dorjoos Credited to dorjoos
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading Critical
CVE-2026-39890 was published for praisonai (pip) Apr 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database