GHSA-rg3h-x3jw-7jm5

Source

https://github.com/advisories/GHSA-rg3h-x3jw-7jm5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rg3h-x3jw-7jm5/GHSA-rg3h-x3jw-7jm5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rg3h-x3jw-7jm5

Aliases

CVE-2026-41496

Published

2026-04-17T22:24:19Z

Modified

2026-05-12T13:45:25.071423397Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

Details

The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase.

postgres.py additionally accepts an unvalidated schema parameter used directly in DDL.

Severity

High — CWE-89 (SQL Injection)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — 8.1

Exploitable in any deployment where table_prefix is derived from external input (multi-tenant setups, API-driven configuration, user-modifiable config files). Default config ("praison_") is not affected.

Details

The CVE-2026-40315 fix added this guard to sqlite.py:52:

# sqlite.py — PATCHED
import re
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

The following backends perform the identical table_prefix → f-string SQL pattern without this guard:

| Backend | File | Line | Injection points | | ---------------- | -------------------------------------------- | --------------- | ----------------------- | | MySQL | persistence/conversation/mysql.py | 65 | 5 | | PostgreSQL | persistence/conversation/postgres.py | 89 (+schema:88) | 10 | | Async SQLite | persistence/conversation/async_sqlite.py | 43 | 13 | | Async MySQL | persistence/conversation/async_mysql.py | 65 | 13 | | Async PostgreSQL | persistence/conversation/async_postgres.py | 63 | 13 | | Turso/LibSQL | persistence/conversation/turso.py | 66 | 9 | | SingleStore | persistence/conversation/singlestore.py | 51 | 7 | | Supabase | persistence/conversation/supabase.py | 68 | 9 | | SurrealDB | persistence/conversation/surrealdb.py | 57 | 8 | | Total | 9 backends | | 52 injection points |

Additionally, praisonai-agents/praisonaiagents/storage/backends.py:179 (SQLiteBackend) accepts table_name without validation.

PoC

#!/usr/bin/env python3
"""
Demonstrates: sqlite.py rejects malicious table_prefix, mysql.py accepts it.
Run: python3 poc.py  (no dependencies required)
"""
import re

payload = "x'; DROP TABLE users; --"

# ── SQLite (patched) ────────────────────────────────────────────────
try:
    if not re.match(r'^[a-zA-Z0-9_]*$', payload):
        raise ValueError("blocked")
    print(f"[SQLite] FAIL — accepted: {payload}")
except ValueError:
    print(f"[SQLite] OK — rejected malicious table_prefix")

# ── MySQL (unpatched) ───────────────────────────────────────────────
sessions_table = f"{payload}sessions"
sql = f"CREATE TABLE IF NOT EXISTS {sessions_table} (session_id VARCHAR(255) PRIMARY KEY)"
print(f"[MySQL]  VULN — generated SQL:\n  {sql}")

# ── PostgreSQL (unpatched — both table_prefix AND schema) ──────────
schema = "public; DROP SCHEMA data CASCADE; --"
sessions_table = f"{schema}.praison_sessions"
sql = f"CREATE SCHEMA IF NOT EXISTS {schema}"
print(f"[Postgres] VULN — schema injection:\n  {sql}")

Output:

[SQLite] OK — rejected malicious table_prefix
[MySQL]  VULN — generated SQL:
  CREATE TABLE IF NOT EXISTS x'; DROP TABLE users; --sessions (session_id VARCHAR(255) PRIMARY KEY)
[Postgres] VULN — schema injection:
  CREATE SCHEMA IF NOT EXISTS public; DROP SCHEMA data CASCADE; --

Vulnerable code (mysql.py, representative)

# mysql.py:65-67 — NO validation
self.table_prefix = table_prefix                    # ← raw input
self.sessions_table = f"{table_prefix}sessions"     # ← into identifier
self.messages_table = f"{table_prefix}messages"

# mysql.py:105 — straight into DDL
cur.execute(f"""
    CREATE TABLE IF NOT EXISTS {self.sessions_table} (
        session_id VARCHAR(255) PRIMARY KEY, ...
    )
""")

Compare with the patched sqlite.py:52:

# sqlite.py:52-53 — HAS validation
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

Impact

When table_prefix originates from untrusted input — multi-tenant tenant names, API request parameters, user-editable config — an attacker achieves arbitrary SQL execution against the backing database. The injected SQL runs in the context of DDL and DML operations (CREATE TABLE, INSERT, SELECT, DELETE), giving the attacker read/write/delete access to the entire database.

PostgreSQL's schema parameter adds a second injection vector in DDL (CREATE SCHEMA IF NOT EXISTS {schema}).

Database specific

{
    "github_reviewed_at": "2026-04-17T22:24:19Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-05-08T14:16:33Z"
}

References

Affected packages

PyPI / praisonai

Package

Name: praisonai; View open source insights on deps.dev
Purl: pkg:pypi/praisonai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.149

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24

0.0.25

0.0.26

0.0.27

0.0.28

0.0.29

0.0.30

0.0.31

0.0.32

0.0.33

0.0.34

0.0.35

0.0.36

0.0.37

0.0.38

0.0.39

0.0.40

0.0.41

0.0.42

0.0.43

0.0.44

0.0.45

0.0.46

0.0.47

0.0.48

0.0.49

0.0.50

0.0.52

0.0.53

0.0.54

0.0.55

0.0.56

0.0.57

0.0.58

0.0.59rc2

0.0.59rc3

0.0.59rc5

0.0.59rc6

0.0.59rc7

0.0.59rc8

0.0.59rc9

0.0.59rc11

0.0.59

0.0.61

0.0.64

0.0.65

0.0.66

0.0.67

0.0.68

0.0.69

0.0.70

0.0.71

0.0.72

0.0.73

0.0.74

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.10

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.8

1.0.9

1.0.10

1.0.11

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.45

2.0.46

2.0.47

2.0.48

2.0.49

2.0.50

2.0.51

2.0.53

2.0.54

2.0.55

2.0.56

2.0.57

2.0.58

2.0.59

2.0.60

2.0.61

2.0.62

2.0.63

2.0.64

2.0.65

2.0.66

2.0.67

2.0.68

2.0.69

2.0.70

2.0.71

2.0.72

2.0.73

2.0.74

2.0.75

2.0.76

2.0.77

2.0.78

2.0.79

2.0.80

2.0.81

2.1.0

2.1.1

2.1.4

2.1.5

2.1.6

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

2.2.21

2.2.22

2.2.24

2.2.25

2.2.26

2.2.27

2.2.28

2.2.29

2.2.30

2.2.31

2.2.32

2.2.33

2.2.34

2.2.35

2.2.36

2.2.37

2.2.38

2.2.39

2.2.40

2.2.41

2.2.42

2.2.43

2.2.44

2.2.45

2.2.46

2.2.47

2.2.48

2.2.49

2.2.50

2.2.51

2.2.52

2.2.53

2.2.54

2.2.55

2.2.56

2.2.57

2.2.58

2.2.59

2.2.60

2.2.61

2.2.62

2.2.63

2.2.64

2.2.65

2.2.66

2.2.67

2.2.68

2.2.69

2.2.70

2.2.71

2.2.72

2.2.73

2.2.74

2.2.75

2.2.76

2.2.77

2.2.78

2.2.79

2.2.80

2.2.81

2.2.82

2.2.83

2.2.84

2.2.86

2.2.87

2.2.88

2.2.89

2.2.90

2.2.91

2.2.93

2.2.95

2.2.96

2.2.97

2.2.98

2.2.99

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.3.12

2.3.13

2.3.14

2.3.15

2.3.16

2.3.18

2.3.19

2.3.20

2.3.21

2.3.22

2.3.23

2.3.24

2.3.25

2.3.26

2.3.27

2.3.28

2.3.29

2.3.30

2.3.31

2.3.32

2.3.33

2.3.34

2.3.35

2.3.36

2.3.37

2.3.38

2.3.39

2.3.40

2.3.41

2.3.42

2.3.43

2.3.44

2.3.45

2.3.46

2.3.47

2.3.48

2.3.49

2.3.50

2.3.51

2.3.52

2.3.53

2.3.54

2.3.55

2.3.56

2.3.57

2.3.58

2.3.59

2.3.60

2.3.61

2.3.62

2.3.63

2.3.64

2.3.65

2.3.66

2.3.67

2.3.68

2.3.69

2.3.70

2.3.71

2.3.72

2.3.73

2.3.74

2.3.75

2.3.76

2.3.77

2.3.78

2.3.79

2.3.80

2.3.81

2.3.82

2.3.83

2.3.84

2.3.85

2.3.86

2.3.87

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.7.0

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.1

2.9.2

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2.0

3.2.1

3.3.0

3.3.1

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.6.0

3.6.1

3.6.2

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.7.9

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.8.10

3.8.11

3.8.12

3.8.13

3.8.14

3.8.16

3.8.17

3.8.18

3.8.19

3.8.20

3.8.21

3.8.22

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

3.9.17

3.9.18

3.9.19

3.9.20

3.9.21

3.9.22

3.9.23

3.9.24

3.9.25

3.9.26

3.9.27

3.9.28

3.9.29

3.9.30

3.9.31

3.9.32

3.9.33

3.9.34

3.9.35

3.10.0

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6

3.10.7

3.10.8

3.10.9

3.10.10

3.10.11

3.10.12

3.10.13

3.10.14

3.10.15

3.10.16

3.10.17

3.10.18

3.10.19

3.10.20

3.10.21

3.10.22

3.10.23

3.10.24

3.10.25

3.10.26

3.10.27

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.8

3.11.9

3.11.10

3.11.11

3.11.12

3.11.13

3.11.14

3.12.0

3.12.1

3.12.2

3.12.3

4.*

4.0.0

4.1.0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.3.0

4.3.1

4.4.0

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.5.0

4.5.1

4.5.2

4.5.3

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.18

4.5.19

4.5.20

4.5.21

4.5.22

4.5.23

4.5.24

4.5.25

4.5.26

4.5.27

4.5.28

4.5.29

4.5.30

4.5.31

4.5.32

4.5.33

4.5.34

4.5.35

4.5.36

4.5.37

4.5.38

4.5.39

4.5.40

4.5.41

4.5.42

4.5.43

4.5.44

4.5.45

4.5.46

4.5.48

4.5.49

4.5.51

4.5.52

4.5.54

4.5.55

4.5.56

4.5.57

4.5.58

4.5.59

4.5.60

4.5.62

4.5.63

4.5.64

4.5.65

4.5.67

4.5.68

4.5.69

4.5.70

4.5.71

4.5.72

4.5.73

4.5.74

4.5.76

4.5.77

4.5.78

4.5.79

4.5.80

4.5.81

4.5.82

4.5.83

4.5.85

4.5.87

4.5.88

4.5.89

4.5.90

4.5.93

4.5.94

4.5.95

4.5.96

4.5.97

4.5.98

4.5.100

4.5.101

4.5.102

4.5.103

4.5.104

4.5.105

4.5.106

4.5.107

4.5.108

4.5.109

4.5.110

4.5.111

4.5.112

4.5.113

4.5.114

4.5.115

4.5.117

4.5.118

4.5.119

4.5.120

4.5.121

4.5.122

4.5.123

4.5.124

4.5.125

4.5.126

4.5.127

4.5.128

4.5.129

4.5.130

4.5.131

4.5.132

4.5.133

4.5.134

4.5.135

4.5.136

4.5.137

4.5.139

4.5.140

4.5.143

4.5.144

4.5.145

Database specific

last_known_affected_version_range

"<= 4.5.148"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rg3h-x3jw-7jm5/GHSA-rg3h-x3jw-7jm5.json"

PyPI / praisonaiagents

Package

Name: praisonaiagents; View open source insights on deps.dev
Purl: pkg:pypi/praisonaiagents

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.8

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24

0.0.25

0.0.26

0.0.27

0.0.28

0.0.29

0.0.30

0.0.31

0.0.32

0.0.33

0.0.34

0.0.35

0.0.36

0.0.37

0.0.38

0.0.39

0.0.40

0.0.41

0.0.42

0.0.43

0.0.44

0.0.45

0.0.46

0.0.47

0.0.48

0.0.49

0.0.50

0.0.51

0.0.52

0.0.53

0.0.54

0.0.56

0.0.57

0.0.58

0.0.59

0.0.60

0.0.61

0.0.62

0.0.63

0.0.64

0.0.65

0.0.66

0.0.67

0.0.68

0.0.69

0.0.70

0.0.71

0.0.72

0.0.73

0.0.74

0.0.75

0.0.76

0.0.77

0.0.78

0.0.79

0.0.80

0.0.81

0.0.82

0.0.83

0.0.84

0.0.85

0.0.86

0.0.87

0.0.88

0.0.89

0.0.90

0.0.91

0.0.92

0.0.93

0.0.94

0.0.95

0.0.96

0.0.97

0.0.98

0.0.99

0.0.100

0.0.101

0.0.102

0.0.103

0.0.104

0.0.105

0.0.106

0.0.107

0.0.108

0.0.109

0.0.110

0.0.111

0.0.112

0.0.113

0.0.114

0.0.115

0.0.116

0.0.117

0.0.118

0.0.119

0.0.120

0.0.121

0.0.122

0.0.123

0.0.124

0.0.125

0.0.126

0.0.127

0.0.128

0.0.129

0.0.130

0.0.131

0.0.132

0.0.133

0.0.134

0.0.135

0.0.136

0.0.137

0.0.138

0.0.139

0.0.140

0.0.141

0.0.142

0.0.143

0.0.144

0.0.145

0.0.146

0.0.147

0.0.148

0.0.149

0.0.150

0.0.151

0.0.152

0.0.153

0.0.154

0.0.155

0.0.156

0.0.157

0.0.158

0.0.159

0.0.160

0.0.161

0.0.162

0.0.163

0.0.164

0.0.165

0.0.166

0.0.167

0.0.168

0.0.169

0.0.170

0.0.171

0.0.172

0.0.173

0.0.174

0.0.175

0.0.176

0.0.177

0.0.178

0.0.179

0.0.180

0.0.181

0.0.182

0.0.183

0.0.184

0.0.185

0.0.187

0.0.188

0.0.189

0.0.190

0.0.191

0.0.192

0.0.193

0.0.194

0.0.195

0.0.196

0.0.197

0.0.198

0.0.199

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.1.26

0.1.27

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.4.0

0.4.1

0.5.0

0.5.1

0.5.2

0.5.3

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.7.0

0.7.1

0.8.0

0.8.1

0.9.0

0.9.1

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.9

0.11.10

0.11.11

0.11.12

0.11.13

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.25

0.11.27

0.11.28

0.11.29

0.11.30

0.11.31

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.12.11

0.12.12

0.12.13

0.12.14

0.12.15

0.12.16

0.12.17

0.12.18

0.12.19

0.12.20

0.12.21

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.13.7

0.13.8

0.13.9

0.13.10

0.13.11

0.13.12

0.13.13

0.13.14

0.13.15

0.13.16

0.13.17

0.13.18

0.13.19

0.13.20

0.13.21

0.13.22

0.13.23

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.14.7

0.14.8

0.14.9

0.14.10

0.14.11

0.14.12

0.14.14

0.14.15

0.14.16

0.15.0

0.15.1

0.15.2

0.15.3

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.5.0

1.5.1

1.5.2

1.5.3

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.5.20

1.5.21

1.5.22

1.5.23

1.5.24

1.5.25

1.5.26

1.5.27

1.5.28

1.5.29

1.5.30

1.5.31

1.5.32

1.5.33

1.5.34

1.5.35

1.5.36

1.5.37

1.5.38

1.5.39

1.5.40

1.5.41

1.5.42

1.5.43

1.5.44

1.5.45

1.5.46

1.5.47

1.5.48

1.5.49

1.5.50

1.5.51

1.5.52

1.5.53

1.5.54

1.5.55

1.5.56

1.5.57

1.5.58

1.5.59

1.5.60

1.5.61

1.5.62

1.5.63

1.5.64

1.5.65

1.5.66

1.5.67

1.5.68

1.5.69

1.5.70

1.5.71

1.5.72

1.5.73

1.5.74

1.5.75

1.5.76

1.5.77

1.5.78

1.5.79

1.5.80

1.5.81

1.5.82

1.5.83

1.5.84

1.5.85

1.5.86

1.5.87

1.5.88

1.5.89

1.5.90

1.5.91

1.5.92

1.5.93

1.5.94

1.5.95

1.5.96

1.5.97

1.5.98

1.5.99

1.5.100

1.5.101

1.5.102

1.5.103

1.5.104

1.5.105

1.5.106

1.5.107

1.5.108

1.5.109

1.5.110

1.5.111

1.5.112

1.5.113

1.5.114

1.5.115

1.5.116

1.5.117

1.5.118

1.5.119

1.5.120

1.5.121

1.5.122

1.5.123

1.5.124

1.5.125

1.5.126

1.5.127

1.5.128

1.5.129

1.5.130

1.5.131

1.5.132

1.5.133

1.5.134

1.5.135

1.5.136

1.5.137

1.5.138

1.5.139

1.5.140

1.5.141

1.5.142

1.5.143

1.5.144

1.5.145

1.5.146

1.5.147

1.5.148

1.5.149

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

Database specific

last_known_affected_version_range

"<= 1.6.7"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rg3h-x3jw-7jm5/GHSA-rg3h-x3jw-7jm5.json"