Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

28 advisories

Loading
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups Moderate
GHSA-6x2m-p4xp-wg22 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory Moderate
GHSA-jvcm-f35g-w78p was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning High
GHSA-2fmp-9rvw-hc96 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source Low
GHSA-9wxg-vf3r-56hc was published for @openzeppelin/wizard (npm) Jun 19, 2026
sondt99 Credited to sondt99
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing Low
CVE-2026-12566 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation Critical
GHSA-29w3-p9w9-wc47 was published for praisonai (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters High
GHSA-c969-5x3p-vq3v was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Arbitrary File Read via `@file:` Mention Path Traversal High
GHSA-2rcg-mm5h-xchx was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint Moderate
GHSA-35w5-pcw4-jx94 was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection Moderate
GHSA-268h-hp4c-crq3 was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization Moderate
GHSA-wqvq-jvpq-h66f was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026 withdrawn
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Tornado has out-of-bounds memory access via C extension Low
CVE-2026-49854 was published for tornado (pip) Jun 12, 2026
sondt99 Credited to sondt99
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams Moderate
CVE-2026-48156 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents High
CVE-2026-49396 was published for github.com/nezhahq/nezha (Go) Jun 10, 2026
sondt99 Credited to sondt99
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets Moderate
CVE-2026-47671 was published for github.com/nhost/nhost (Go) Jun 4, 2026
sondt99 Credited to sondt99
Nezha's authenticated agents can forge service-monitor results for other users' services High
CVE-2026-48119 was published for github.com/nezhahq/nezha (Go) Jun 1, 2026
sondt99 Credited to sondt99
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database