GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
23 advisories
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
High
CVE-2026-34839
was published
for
Glances
(pip)
Apr 21, 2026
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
High
CVE-2026-41056
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
High
GHSA-x462-jjpc-q4q4
was published
for
praisonaiagents
(pip)
Apr 10, 2026
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Critical
CVE-2026-34449
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 31, 2026
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
Moderate
CVE-2026-34227
was published
for
github.com/bishopfox/sliver
(Go)
Mar 31, 2026
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)
Moderate
CVE-2026-34237
was published
for
io.modelcontextprotocol.sdk:mcp-core
(Maven)
Mar 30, 2026
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
High
CVE-2026-33533
was published
for
Glances
(pip)
Mar 30, 2026
qui CORS Misconfiguration: Arbitrary Origins Trusted
Critical
CVE-2026-30924
was published
for
github.com/autobrr/qui
(Go)
Mar 19, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
High
CVE-2026-33043
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
High
CVE-2026-32610
was published
for
Glances
(pip)
Mar 16, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
High
CVE-2026-33010
was published
for
mcp-memory-service
(pip)
Mar 7, 2026
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins
High
CVE-2026-25478
was published
for
litestar
(pip)
Feb 9, 2026
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
High
CVE-2026-22812
was published
for
opencode-ai
(npm)
Jan 13, 2026
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
High
CVE-2025-53092
was published
for
@strapi/core
(npm)
Oct 16, 2025
@musistudio/claude-code-router has improper CORS configuration
High
CVE-2025-57755
was published
for
@musistudio/claude-code-router
(npm)
Aug 21, 2025
ProTip!
Advisories are also available from the
GraphQL API