Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

96 advisories

Loading
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver Moderate
GHSA-8pv3-29pp-pf8f was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure Moderate
GHSA-hg7g-56h5-5pqr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators Moderate
GHSA-8qm8-g55h-xmqr was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion Moderate
GHSA-x2pw-9c38-cp2j was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version Moderate
GHSA-52hf-63q4-r926 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
GHSA-gpgp-w4x2-h3h7 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload Moderate
GHSA-69hx-63pv-f8f4 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation Moderate
GHSA-r2x7-427f-rq69 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure Moderate
GHSA-w8jj-cwmc-wgq2 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass Moderate
GHSA-fwg7-53p4-g33c was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session Moderate
GHSA-hm2h-wwwh-g49x was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands Moderate
GHSA-ffp3-3562-8cv3 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits Moderate
CVE-2026-40148 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary Moderate
CVE-2026-40152 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS Moderate
CVE-2026-40151 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate Moderate
CVE-2026-40117 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) Moderate
CVE-2026-40112 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling Moderate
GHSA-766v-q9x3-g744 was published for praisonaiagents (pip) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting Moderate
CVE-2026-39390 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files Moderate
CVE-2026-39389 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows Moderate
CVE-2026-39844 was published for nicegui (pip) Apr 8, 2026
offset Credited to offset, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database