GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,300 advisories
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
Moderate
GHSA-hm2h-wwwh-g49x
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-ffp3-3562-8cv3
was published
for
praisonaiagents
(pip)
Apr 10, 2026
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution
High
GHSA-qwgj-rrpj-75xm
was published
for
PraisonAI
(pip)
Apr 10, 2026
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
Moderate
CVE-2026-40103
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Moderate
CVE-2026-35596
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
Moderate
GHSA-cmfr-9m2r-xwhq
was published
for
openclaw
(npm)
Apr 9, 2026
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
Moderate
GHSA-whf9-3hcx-gq54
was published
for
openclaw
(npm)
Apr 9, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
Moderate
GHSA-rfgh-63mg-8pwm
was published
for
pyload-ng
(pip)
Apr 8, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
File Browser share links remain accessible after Share/Download permissions are revoked
High
CVE-2026-35604
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Apr 8, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
OpenClaw: pnpm dlx approvals did not bind local script operands
Moderate
GHSA-w6wx-jq6j-6mcj
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
Moderate
GHSA-fwjq-xwfj-gv75
was published
for
openclaw
(npm)
Apr 7, 2026
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Moderate
CVE-2026-34972
was published
for
github.com/openfga/openfga
(Go)
Apr 7, 2026
ProTip!
Advisories are also available from the
GraphQL API