Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

122 advisories

Loading
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krrazee Credited to krrazee, 0x5t4l1n, and harriiinnii 0x5t4l1n 0x5t4l1n
harriiinnii harriiinnii
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers High
CVE-2026-22753 was published for org.springframework.security:spring-security-config (Maven) Apr 22, 2026
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads Moderate
GHSA-qmwg-qprg-3j38 was published for openclaw (npm) Apr 17, 2026
tdjackey Credited to tdjackey
October Rain has a Twig Sandbox Bypass via Collection Methods Moderate
CVE-2026-22692 was published for october/rain (Composer) Apr 14, 2026
lukasz-rybak Credited to lukasz-rybak and daftspunk daftspunk daftspunk
ImageMagick has a heap-use-after-free via XMP profile could result in a crash when printing the values. Moderate
CVE-2026-40311 was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure High
CVE-2026-40158 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode) Critical
CVE-2026-39888 was published for praisonaiagents (pip) Apr 8, 2026
dorjoos Credited to dorjoos
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr High
CVE-2026-34444 was published for lupa (pip) Apr 7, 2026
redyank Credited to redyank
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
SandboxJS: Sandbox integrity escape Critical
CVE-2026-34208 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
fancymalware Credited to fancymalware
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code Critical
CVE-2026-34938 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out High
CVE-2026-27893 was published for vllm (pip) Mar 27, 2026
Wernerina Credited to Wernerina and russellb russellb russellb
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
CVE-2026-35650 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers Moderate
GHSA-3mjm-x6gw-2x42 was published for @grackle-ai/server (npm) Mar 25, 2026
Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse Critical
GHSA-5wr9-m6jw-xx44 was published for scriban (NuGet) Mar 24, 2026
Zwique Credited to Zwique
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier) Moderate
CVE-2026-32947 was published for step-security/harden-runner (GitHub Actions) Mar 17, 2026
devanshbatham Credited to devanshbatham
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier) Moderate
CVE-2026-32946 was published for step-security/harden-runner (GitHub Actions) Mar 17, 2026
devanshbatham Credited to devanshbatham
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure Low
CVE-2026-3965 was published for @whyour/qinglong (npm) Mar 12, 2026
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement Moderate
CVE-2026-30938 was published for parse-server (npm) Mar 10, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
CVE-2026-27646 was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked High
GHSA-wccx-j62j-r448 was published for fickling (pip) Mar 4, 2026
mldangelo Credited to mldangelo
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database