GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
11,261 advisories
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
High
CVE-2026-54305
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Microsoft SQL Node Prototype Pollution
High
CVE-2026-54312
was published
for
n8n
(npm)
Jun 16, 2026
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
High
GHSA-69qj-pvh9-c5wg
was published
for
yt-dlp
(pip)
Jun 16, 2026
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles
High
CVE-2026-54322
was published
for
github.com/daytonaio/daytona
(Go)
Jun 16, 2026
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
High
CVE-2026-52845
was published
for
github.com/caddyserver/caddy
(Go)
Jun 16, 2026
Caddy: Windows `file_server` path authorization bypass via encoded backslash
High
CVE-2026-52844
was published
for
github.com/caddyserver/caddy
(Go)
Jun 16, 2026
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
High
CVE-2026-50574
was published
for
yt-dlp
(pip)
Jun 16, 2026
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
High
CVE-2026-54321
was published
for
github.com/daytonaio/daytona
(Go)
Jun 16, 2026
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
High
CVE-2026-53622
was published
for
Traefik
(Go)
Jun 16, 2026
Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check
High
CVE-2026-53755
was published
for
crawl4ai
(pip)
Jun 16, 2026
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
High
GHSA-f989-c77f-r2cq
was published
for
crawl4ai
(pip)
Jun 16, 2026
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
High
CVE-2026-50023
was published
for
yt-dlp
(pip)
Jun 16, 2026
Deno: Miller-Rabin Primality Test Allows Zero Rounds
High
CVE-2026-49440
was published
for
deno
(Rust)
Jun 16, 2026
Deno: Command Injection via spawnSync & spawn on Windows
High
CVE-2026-49402
was published
for
deno
(Rust)
Jun 16, 2026
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
High
CVE-2026-48491
was published
for
Traefik
(Go)
Jun 16, 2026
n8n: Same-Origin XSS in Respond to Webhook Node
High
CVE-2026-54301
was published
for
n8n
(npm)
Jun 16, 2026
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
High
CVE-2026-41523
was published
for
vllm
(pip)
Jun 16, 2026
Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints
High
CVE-2026-33760
was published
for
langflow
(pip)
Jun 16, 2026
Astro: Host header SSRF in prerendered error page fetch
High
CVE-2026-54299
was published
for
astro
(npm)
Jun 16, 2026
Natural Language Toolkit (NLTK): URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read
High
CVE-2026-54293
was published
for
nltk
(pip)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API