GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
371 advisories
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Critical
CVE-2026-47407
was published
for
praisonai-platform
(pip)
May 29, 2026
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
Critical
CVE-2026-44330
was published
for
github.com/free5gc/nef
(Go)
May 8, 2026
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Critical
CVE-2026-43999
was published
for
vm2
(npm)
May 7, 2026
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Critical
CVE-2026-41050
was published
for
github.com/rancher/fleet
(Go)
May 7, 2026
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
Critical
CVE-2026-43948
was published
for
wger
(pip)
May 6, 2026
S3-Proxy has Security Issues in its Resource Path Matching Implementation
Critical
CVE-2026-42882
was published
for
github.com/oxyno-zeta/s3-proxy
(Go)
May 5, 2026
Codechecker has an authentication bypass for certain API calls
Critical
CVE-2026-25660
was published
for
codechecker
(pip)
May 5, 2026
Pelican Web UI Affected by a Privilege Escalation Attack
Critical
CVE-2026-42571
was published
for
github.com/pelicanplatform/pelican
(Go)
May 4, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Critical
CVE-2026-41248
was published
for
@clerk/astro
(npm)
Apr 16, 2026
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
Critical
CVE-2026-35490
was published
for
changedetection.io
(pip)
Apr 6, 2026
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Critical
CVE-2026-41329
was published
for
openclaw
(npm)
Apr 2, 2026
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
Critical
CVE-2026-34953
was published
for
praisonai
(pip)
Apr 1, 2026
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
Critical
CVE-2026-33579
was published
for
openclaw
(npm)
Mar 31, 2026
parse-server has cloud function validator bypass via prototype chain traversal
Critical
CVE-2026-34532
was published
for
parse-server
(npm)
Mar 31, 2026
ProTip!
Advisories are also available from the
GraphQL API