GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28 advisories
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
High
CVE-2026-40114
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution
High
GHSA-qwgj-rrpj-75xm
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
Moderate
CVE-2026-40152
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
High
CVE-2026-40153
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
Moderate
CVE-2026-40151
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
High
CVE-2026-40149
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool
High
CVE-2026-40150
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
Moderate
CVE-2026-40117
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
High
CVE-2026-40116
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
Moderate
CVE-2026-40112
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
Moderate
GHSA-766v-q9x3-g744
was published
for
praisonaiagents
(pip)
Apr 8, 2026
PraisonAI has Template Injection in Agent Tool Definitions
High
CVE-2026-39891
was published
for
praisonai
(pip)
Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Moderate
CVE-2026-39844
was published
for
nicegui
(pip)
Apr 8, 2026
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Moderate
CVE-2026-35592
was published
for
pyload-ng
(pip)
Apr 8, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
High
CVE-2026-35044
was published
for
bentoml
(pip)
Apr 3, 2026
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
High
CVE-2026-33509
was published
for
pyload-ng
(pip)
Mar 20, 2026
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)
Moderate
GHSA-qvc2-mg72-jjhx
was published
for
justhtml
(pip)
Mar 18, 2026
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
High
CVE-2026-32634
was published
for
Glances
(pip)
Mar 16, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Moderate
CVE-2026-32632
was published
for
Glances
(pip)
Mar 16, 2026
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
High
CVE-2026-32611
was published
for
Glances
(pip)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API