GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
150 advisories
PraisonAI has Template Injection in Agent Tool Definitions
High
CVE-2026-39891
was published
for
praisonai
(pip)
Apr 8, 2026
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
High
CVE-2026-39394
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass
High
CVE-2026-39393
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization
Moderate
CVE-2026-39392
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
Moderate
CVE-2026-39391
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Moderate
CVE-2026-39390
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Moderate
CVE-2026-39389
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 8, 2026
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
Moderate
CVE-2026-39844
was published
for
nicegui
(pip)
Apr 8, 2026
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Low
CVE-2026-34166
was published
for
liquidjs
(npm)
Apr 8, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Moderate
CVE-2026-39367
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Moderate
CVE-2026-39366
was published
for
wwbn/avideo
(Composer)
Apr 8, 2026
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level
Moderate
GHSA-fcmh-qfxc-w685
was published
for
github.com/cloudnativelabs/kube-router/v2
(Go)
Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Moderate
CVE-2026-35592
was published
for
pyload-ng
(pip)
Apr 8, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
Parse Server: File upload Content-Type override via extension mismatch
Low
CVE-2026-35200
was published
for
parse-server
(npm)
Apr 4, 2026
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
High
CVE-2026-35044
was published
for
bentoml
(pip)
Apr 3, 2026
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
Moderate
CVE-2026-34211
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
High
CVE-2026-35037
was published
for
github.com/lin-snow/ech0
(Go)
Apr 3, 2026
Parser Server's streaming file download bypasses afterFind file trigger authorization
High
CVE-2026-34784
was published
for
parse-server
(npm)
Apr 1, 2026
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber
Low
CVE-2026-34762
was published
for
github.com/ellanetworks/core
(Go)
Apr 1, 2026
Ella Core Panics Upon NGAP handover failure
Moderate
CVE-2026-34761
was published
for
github.com/ellanetworks/core
(Go)
Apr 1, 2026
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API