Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

4,449 advisories

Loading
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-4mpj-78p6-rj59 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-82fg-2r99-h7v6 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass Critical
GHSA-5rph-q42j-36j9 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs Critical
GHSA-6v84-v468-3c7f was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan does not block ctypes Critical
GHSA-7f79-rvx6-vxc4 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing Critical
GHSA-rmpp-8wf5-xx5q was published for picklescan (pip) Jun 17, 2026 withdrawn
Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory Critical
CVE-2026-50203 was published for apache-airflow-providers-sftp (pip) Jun 17, 2026
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure Critical
CVE-2026-32966 was published for org.apache.dolphinscheduler:dolphinscheduler-api (Maven) Jun 17, 2026
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks Critical
CVE-2026-32967 was published for org.apache.dolphinscheduler:dolphinscheduler-api (Maven) Jun 17, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix Critical
CVE-2026-49980 was published for github.com/rclone/rclone (Go) Jun 16, 2026
kamil-sawicki Credited to kamil-sawicki and ncw ncw ncw
LiteLLM: Authentication Bypass via Host Header Injection Critical
CVE-2026-49468 was published for litellm (pip) Jun 16, 2026
LilThawg29 Credited to LilThawg29
LobeHub: Unauthenticated SSRF in `/webapi/proxy` Critical
CVE-2026-54157 was published for @lobehub/lobehub (npm) Jun 16, 2026
0xj3st3r Credited to 0xj3st3r
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution Critical
CVE-2026-56266 was published for crawl4ai (pip) Jun 16, 2026
August829 Credited to August829
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API Critical
CVE-2026-53753 was published for crawl4ai (pip) Jun 16, 2026
q1uf3ng Credited to q1uf3ng, August829, and ntohidi August829 August829
ntohidi ntohidi
vLLM: OpenAI auth bypass Critical
CVE-2026-48746 was published for vllm (pip) Jun 16, 2026
x41j Credited to x41j, russellb, and DarkLight1337 russellb russellb
DarkLight1337 DarkLight1337
Langflow: Unauthenticated RCE in Shareable Playgrounds Critical
CVE-2026-48519 was published for langflow (pip) Jun 16, 2026
vbCrLf Credited to vbCrLf, Jkavia, andifilhohub, and AntonioABLima Jkavia Jkavia
andifilhohub andifilhohub AntonioABLima AntonioABLima
Remotion: arbitrary file write vulnerability Critical
CVE-2026-30121 was published for remotion (npm) Jun 15, 2026
Remotion: remote code execution (RCE) vulnerability Critical
CVE-2026-30120 was published for remotion (npm) Jun 15, 2026
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow Critical
CVE-2026-54257 was published for electron (npm) Jun 15, 2026
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE Critical
CVE-2026-53633 was published for @vitest/browser (npm) Jun 15, 2026
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign Critical
CVE-2026-48150 was published for @budibase/server (npm) Jun 12, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token Critical
CVE-2026-48039 was published for meta-ads-mcp (pip) Jun 11, 2026
232-323 Credited to 232-323
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery Critical
CVE-2026-48031 was published for github.com/dhax/go-base (Go) Jun 10, 2026
saaa99999999 Credited to saaa99999999
ProTip! Advisories are also available from the GraphQL API