close
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

31,183 advisories

Loading
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} Critical
CVE-2026-47416 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role High
CVE-2026-47409 was published for praisonai-platform (pip) May 29, 2026
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) High
CVE-2026-47414 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks High
CVE-2026-47406 was published for praisonai-platform (pip) May 29, 2026
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset Critical
CVE-2026-47410 was published for praisonai-platform (pip) May 29, 2026
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership High
CVE-2026-47405 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID High
CVE-2026-47399 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation Critical
CVE-2026-47407 was published for praisonai-platform (pip) May 29, 2026
spbavarva Credited to spbavarva
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership Moderate
CVE-2026-47408 was published for praisonai-platform (pip) May 29, 2026
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API High
CVE-2026-48169 was published for praisonai-platform (pip) May 29, 2026
joshuaalwin Credited to joshuaalwin
PraisonAI has an Arbitrary File Write in Python API High
CVE-2026-47397 was published for PraisonAI (pip) May 29, 2026
Ruoyyy Credited to Ruoyyy
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution Critical
CVE-2026-47391 was published for PraisonAI (pip) May 29, 2026
foxirain Credited to foxirain
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate High
CVE-2026-47394 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) Critical
CVE-2026-47392 was published for PraisonAI (pip) May 29, 2026
q1uf3ng Credited to q1uf3ng
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context Moderate
CVE-2026-47395 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default Critical
CVE-2026-47393 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset Critical
CVE-2026-47396 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings Moderate
CVE-2026-47390 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 High
CVE-2026-47398 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
formie's unauthenticated front-end submission editing can overwrite existing submissions High
CVE-2026-47266 was published for verbb/formie (Composer) May 29, 2026
stigmem-node's federation peer registration lacked explicit out-of-band approval Critical
GHSA-9vp8-3hmv-8fgh was published for stigmem-node (pip) May 29, 2026
stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment High
GHSA-w7pm-9g55-mxfm was published for stigmem-node (pip) May 29, 2026
stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation Critical
GHSA-jmfc-hfjq-pxcp was published for stigmem-node (pip) May 29, 2026
stigmem-node's Postgres schema identifier handling required defensive quoting High
GHSA-9pc9-4crj-mhpj was published for stigmem-node (pip) May 29, 2026
stigmem-node's federation peer token timestamp validation may reject valid peer tokens High
GHSA-xh5j-xjfq-qvvx was published for stigmem-node (pip) May 29, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database