GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
640 advisories
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Mlflow: Command Injection when serving models with enable_mlserver=True
Critical
CVE-2026-0596
was published
for
mlflow
(pip)
Mar 31, 2026
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
Critical
CVE-2026-45568
was published
for
zrok
(pip)
May 19, 2026
Malicious dropper in mistralai 2.4.6 PyPI package
Critical
GHSA-wx9m-wx4f-4cmg
was published
for
mistralai
(pip)
May 18, 2026
Open WebUI has an LDAP Empty Password Authentication Bypass
Critical
CVE-2026-44551
was published
for
open-webui
(pip)
May 8, 2026
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
Critical
CVE-2026-45369
was published
for
utcp-cli
(pip)
May 14, 2026
Dulwich Arbitrary code execution via commit with directory path starting with .git
Critical
CVE-2014-9706
was published
for
dulwich
(pip)
May 17, 2022
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
Critical
CVE-2026-42601
was published
for
archivebox
(pip)
May 4, 2026
misp-modules website - Missing CSRF protection in the website home blueprint
Critical
CVE-2026-44364
was published
for
misp-modules
(pip)
May 6, 2026
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
Critical
CVE-2026-43948
was published
for
wger
(pip)
May 6, 2026
django-s3file is vulnerable to relative path traversal
Critical
CVE-2026-42196
was published
for
django-s3file
(pip)
May 5, 2026
Langflow Knowledge Bases API is Vulnerable to Path Traversal
Critical
CVE-2026-42048
was published
for
langflow
(pip)
May 5, 2026
Sentry's improper authentication on SAML SSO process allows user identity linking
Critical
CVE-2026-42354
was published
for
sentry
(pip)
Apr 30, 2026
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
Critical
CVE-2026-41497
was published
for
praisonai
(pip)
Apr 17, 2026
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Critical
CVE-2025-55449
was published
for
astrbot
(pip)
Nov 14, 2025
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
Critical
CVE-2026-44336
was published
for
PraisonAI
(pip)
May 11, 2026
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
Critical
CVE-2026-39890
was published
for
praisonai
(pip)
Apr 8, 2026
ProTip!
Advisories are also available from the
GraphQL API