GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
182 advisories
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
Moderate
GHSA-8pv3-29pp-pf8f
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
High
GHSA-j432-4w3j-3w8j
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
High
GHSA-ff5q-cc22-fgp4
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
High
GHSA-ccq9-r5cw-5hwq
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Moderate
GHSA-hg7g-56h5-5pqr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
Moderate
GHSA-8qm8-g55h-xmqr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
Moderate
GHSA-x2pw-9c38-cp2j
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
High
GHSA-vvfw-4m39-fjqf
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Critical
GHSA-gph2-j4c9-vhhr
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
High
GHSA-6rc6-p838-686f
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
Moderate
GHSA-52hf-63q4-r926
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Moderate
GHSA-gpgp-w4x2-h3h7
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
High
GHSA-6v7q-wjvx-w8wg
was published
for
basic-ftp
(npm)
Apr 10, 2026
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload
Moderate
GHSA-69hx-63pv-f8f4
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation
Moderate
GHSA-r2x7-427f-rq69
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Moderate
GHSA-w8jj-cwmc-wgq2
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
Moderate
GHSA-fwg7-53p4-g33c
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
Moderate
GHSA-hm2h-wwwh-g49x
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
High
CVE-2026-40114
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution
High
GHSA-qwgj-rrpj-75xm
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
Moderate
CVE-2026-40152
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
High
CVE-2026-40153
was published
for
praisonaiagents
(pip)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API