GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,740 advisories
gramps-webapi: Zip Slip Path Traversal in Media Archive Import
Critical
CVE-2026-40258
was published
for
gramps-webapi
(pip)
Apr 10, 2026
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
Moderate
CVE-2026-40260
was published
for
pypdf
(pip)
Apr 10, 2026
Rembg has a Path Traversal via Custom Model Loading
Moderate
CVE-2026-40086
was published
for
rembg
(pip)
Apr 10, 2026
ajenti.plugin.core has race conditions in 2FA
Moderate
CVE-2026-40178
was published
for
ajenti.plugin.core
(pip)
Apr 10, 2026
xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern
Moderate
GHSA-vj8v-p5vw-m6v5
was published
for
xrootd
(pip)
Apr 10, 2026
ajenti.plugin.core has password bypass when 2FA is activated
Critical
CVE-2026-40177
was published
for
ajenti.plugin.core
(pip)
Apr 10, 2026
uv vulnerable to arbitrary file deletion through RECORD entries
Low
GHSA-pjjw-68hj-v9mw
was published
for
uv
(pip)
Apr 10, 2026
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Critical
GHSA-8x8f-54wf-vv92
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI has critical RCE via `type: job` workflow YAML
Critical
GHSA-vc46-vw85-3wvm
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable to RCE via Automatic tools.py Import
High
GHSA-g985-wjh9-qxxc
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
Moderate
GHSA-x783-xp3g-mqhp
was published
for
PraisonAI
(pip)
Apr 10, 2026
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
High
CVE-2026-40162
was published
for
bugsink
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
High
CVE-2026-40114
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback
High
CVE-2026-40160
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution
Moderate
CVE-2026-40159
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
Critical
CVE-2026-40157
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
High
CVE-2026-40156
was published
for
praisonai
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable Untrusted Remote Template Code Execution
Critical
CVE-2026-40154
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution
High
GHSA-qwgj-rrpj-75xm
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
High
CVE-2026-40158
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
Moderate
CVE-2026-40152
was published
for
praisonaiagents
(pip)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API