Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,273 advisories

Loading
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps() Moderate
CVE-2026-54911 was published for ujson (pip) Jun 19, 2026
Zwique Credited to Zwique, bwoodsend, and hugovk bwoodsend bwoodsend
hugovk hugovk
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags Moderate
CVE-2026-55865 was published for python-liquid (pip) Jun 19, 2026
Nuhiat-Arefin Credited to Nuhiat-Arefin
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol Moderate
GHSA-vmhf-c436-hxj4 was published for jupyterlab (pip) Jun 19, 2026
krassowski Credited to krassowski and Yann-P Yann-P Yann-P
Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands Moderate
GHSA-x44p-gg67-52fc was published for praisonai (pip) Jun 19, 2026 withdrawn
BBOT: Arbitrary File Write in postman_download Module Moderate
CVE-2026-12568 was published for bbot (pip) Jun 18, 2026
nedlir Credited to nedlir
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
praisonai-platform: Authorization Bypass Through User-Controlled Key Moderate
GHSA-2fjj-qqg8-fg7x was published for praisonai-platform (pip) Jun 18, 2026
sai-sh Credited to sai-sh
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder Moderate
GHSA-pv2j-rghr-v5r9 was published for praisonaiagents (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: SpiderTools redirect-target SSRF protection bypass Moderate
GHSA-6h9p-93hq-q7h6 was published for praisonaiagents (pip) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint Moderate
GHSA-35w5-pcw4-jx94 was published for praisonaiagents (pip) Jun 18, 2026
sondt99 Credited to sondt99
marimo contains a reflected cross-site scripting vulnerability in the notebook page Moderate
CVE-2026-54386 was published for marimo (pip) Jun 18, 2026
OpenStack Horizon RC file generation does not escape special characters in project names Moderate
CVE-2026-55748 was published for horizon (pip) Jun 17, 2026
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO Moderate
CVE-2026-54022 was published for open-webui (pip) Jun 17, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
brodmart Credited to brodmart and Classic298 Classic298 Classic298
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode Moderate
CVE-2026-54019 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n and Classic298 Classic298 Classic298
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration Moderate
CVE-2026-54016 was published for open-webui (pip) Jun 17, 2026
Hwwg Credited to Hwwg and Classic298 Classic298 Classic298
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} Moderate
CVE-2026-54014 was published for open-webui (pip) Jun 17, 2026
AAtomical Credited to AAtomical and Classic298 Classic298 Classic298
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field Moderate
CVE-2026-54009 was published for open-webui (pip) Jun 17, 2026
bl4ckr0ss3 Credited to bl4ckr0ss3 and Classic298 Classic298 Classic298
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar Moderate
CVE-2026-54006 was published for open-webui (pip) Jun 17, 2026
nayakchinmohan Credited to nayakchinmohan and Classic298 Classic298 Classic298
vLLM: OOM Denial of Service via Audio Decompression Bomb Moderate
CVE-2026-54233 was published for vllm (pip) Jun 17, 2026
RTV-GIT Credited to RTV-GIT, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
ProTip! Advisories are also available from the GraphQL API