GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
224 advisories
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
High
CVE-2026-44338
was published
for
PraisonAI
(pip)
May 11, 2026
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
Critical
CVE-2026-44588
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 8, 2026
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
Critical
CVE-2026-44670
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 8, 2026
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
High
CVE-2026-41432
was published
for
github.com/QuantumNous/new-api
(Go)
Apr 24, 2026
Gitea has insecure default SSH settings
Moderate
GHSA-3m6q-h5gj-7mrw
was published
for
code.gitea.io/gitea
(Go)
Apr 22, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
OpenClaw: Feishu webhook and card-action validation now fail closed
Critical
CVE-2026-44109
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser SSRF policy default allowed private-network navigation
Moderate
CVE-2026-43527
was published
for
openclaw
(npm)
Apr 17, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
CVE-2026-41679
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost
High
CVE-2026-34742
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API