Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

32 advisories

Loading
sondt99 Credited to sondt99
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API Moderate
GHSA-ww5p-j6cj-6mqq was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Moderate
CVE-2026-53520 was published for github.com/nezhahq/nezha (Go) Jun 26, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
sondt99 Credited to sondt99
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory Moderate
GHSA-jvcm-f35g-w78p was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning High
GHSA-2fmp-9rvw-hc96 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99
sondt99 Credited to sondt99
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation Critical
GHSA-29w3-p9w9-wc47 was published for praisonai (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters High
GHSA-c969-5x3p-vq3v was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Arbitrary File Read via `@file:` Mention Path Traversal High
GHSA-2rcg-mm5h-xchx was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint Moderate
GHSA-35w5-pcw4-jx94 was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()` Moderate
CVE-2026-48125 was published for ua-parser-js (npm) Jun 15, 2026
sondt99 Credited to sondt99
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection Moderate
GHSA-268h-hp4c-crq3 was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization Moderate
GHSA-wqvq-jvpq-h66f was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Tornado has out-of-bounds memory access via C extension Low
CVE-2026-49854 was published for tornado (pip) Jun 12, 2026
sondt99 Credited to sondt99
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
ProTip! Advisories are also available from the GraphQL API