GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,273 advisories
Filter by severity
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Moderate
CVE-2026-54911
was published
for
ujson
(pip)
Jun 19, 2026
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags
Moderate
CVE-2026-55865
was published
for
python-liquid
(pip)
Jun 19, 2026
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
Moderate
GHSA-vmhf-c436-hxj4
was published
for
jupyterlab
(pip)
Jun 19, 2026
Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-x44p-gg67-52fc
was published
for
praisonai
(pip)
Jun 19, 2026
•
withdrawn
BBOT: Arbitrary File Write in postman_download Module
Moderate
CVE-2026-12568
was published
for
bbot
(pip)
Jun 18, 2026
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
Moderate
CVE-2026-12565
was published
for
bbot
(pip)
Jun 18, 2026
praisonai-platform: Authorization Bypass Through User-Controlled Key
Moderate
GHSA-2fjj-qqg8-fg7x
was published
for
praisonai-platform
(pip)
Jun 18, 2026
pypdf: Missing stream length values ignore defined limits
Moderate
GHSA-jm82-fx9c-mx94
was published
for
pypdf
(pip)
Jun 18, 2026
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder
Moderate
GHSA-pv2j-rghr-v5r9
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: SpiderTools redirect-target SSRF protection bypass
Moderate
GHSA-6h9p-93hq-q7h6
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint
Moderate
GHSA-35w5-pcw4-jx94
was published
for
praisonaiagents
(pip)
Jun 18, 2026
marimo contains a reflected cross-site scripting vulnerability in the notebook page
Moderate
CVE-2026-54386
was published
for
marimo
(pip)
Jun 18, 2026
Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)
Moderate
CVE-2026-53870
was published
for
hermes-agent
(pip)
Jun 17, 2026
OpenStack Horizon RC file generation does not escape special characters in project names
Moderate
CVE-2026-55748
was published
for
horizon
(pip)
Jun 17, 2026
Duplicate Advisory: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
GHSA-x8xr-mj9x-6h7w
was published
for
vllm
(pip)
Jun 17, 2026
•
withdrawn
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Moderate
CVE-2026-54022
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Moderate
CVE-2026-54021
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
Moderate
CVE-2026-54019
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
Moderate
CVE-2026-54016
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Moderate
CVE-2026-54015
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
Moderate
CVE-2026-54014
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Moderate
CVE-2026-54009
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Moderate
CVE-2026-54006
was published
for
open-webui
(pip)
Jun 17, 2026
vLLM: OOM Denial of Service via Audio Decompression Bomb
Moderate
CVE-2026-54233
was published
for
vllm
(pip)
Jun 17, 2026
ProTip!
Advisories are also available from the
GraphQL API