Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,180 advisories

Loading
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO Moderate
CVE-2026-54022 was published for open-webui (pip) Jun 17, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter Moderate
CVE-2026-54021 was published for open-webui (pip) Jun 17, 2026
brodmart Credited to brodmart and Classic298 Classic298 Classic298
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode Moderate
CVE-2026-54019 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n and Classic298 Classic298 Classic298
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration Moderate
CVE-2026-54016 was published for open-webui (pip) Jun 17, 2026
Hwwg Credited to Hwwg and Classic298 Classic298 Classic298
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} Moderate
CVE-2026-54014 was published for open-webui (pip) Jun 17, 2026
AAtomical Credited to AAtomical and Classic298 Classic298 Classic298
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field Moderate
CVE-2026-54009 was published for open-webui (pip) Jun 17, 2026
bl4ckr0ss3 Credited to bl4ckr0ss3 and Classic298 Classic298 Classic298
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar Moderate
CVE-2026-54006 was published for open-webui (pip) Jun 17, 2026
nayakchinmohan Credited to nayakchinmohan and Classic298 Classic298 Classic298
vLLM: OOM Denial of Service via Audio Decompression Bomb Moderate
CVE-2026-54233 was published for vllm (pip) Jun 17, 2026
RTV-GIT Credited to RTV-GIT, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router Moderate
CVE-2026-54236 was published for vllm (pip) Jun 17, 2026
SnailSploit Credited to SnailSploit and jperezdealgaba jperezdealgaba jperezdealgaba
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving Moderate
CVE-2026-53923 was published for vllm (pip) Jun 17, 2026
Aviral2642 Credited to Aviral2642, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations Moderate
GHSA-8jr5-v98p-w75m was published for vllm (pip) Jun 17, 2026
kexinoh Credited to kexinoh, russellb, jperezdealgaba, and DarkLight1337 russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels Moderate
CVE-2026-54235 was published for vllm (pip) Jun 17, 2026
brodmart Credited to brodmart and jperezdealgaba jperezdealgaba jperezdealgaba
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints Moderate
CVE-2026-46448 was published for nova (pip) Jun 16, 2026
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin Moderate
GHSA-x7cf-6gp3-q5f8 was published for openclaw (pip) Jun 16, 2026 withdrawn
yt-dlp: File Downloader cookie leak with curl Moderate
CVE-2026-50019 was published for yt-dlp (pip) Jun 16, 2026
seproDev Credited to seproDev, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read Moderate
CVE-2026-48520 was published for langflow (pip) Jun 16, 2026
vbCrLf Credited to vbCrLf, keval718, and andifilhohub keval718 keval718
andifilhohub andifilhohub
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint Moderate
CVE-2026-42867 was published for langflow (pip) Jun 16, 2026
nekros1xx Credited to nekros1xx, Cristhianzl, andifilhohub, and AntonioABLima Cristhianzl Cristhianzl
andifilhohub andifilhohub AntonioABLima AntonioABLima
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders Moderate
GHSA-gr75-jv2w-4656 was published for langchain (pip) Jun 16, 2026
Mistz1 Credited to Mistz1 and deprrous deprrous deprrous
Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes Moderate
GHSA-gj48-438w-jh9v was published for bleach (pip) Jun 16, 2026
BangbBros Credited to BangbBros
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning Moderate
GHSA-g75f-g53v-794x was published for bleach (pip) Jun 16, 2026
0xHunSec Credited to 0xHunSec
pypdf: Possible infinite loop when processing outlines/bookmarks in writer Moderate
CVE-2026-54531 was published for pypdf (pip) Jun 16, 2026
SagDeap Credited to SagDeap and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction Moderate
CVE-2026-54530 was published for pypdf (pip) Jun 16, 2026
SagDeap Credited to SagDeap and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for form XObjects during text extraction Moderate
CVE-2026-49461 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
pypdf: Inefficient decoding of FlateDecode PNG predictor streams Moderate
CVE-2026-49460 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database