Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

314 advisories

Loading
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks Moderate
CVE-2026-49411 was published for deno (Rust) Jun 16, 2026
sugarless1101 Credited to sugarless1101
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint Moderate
GHSA-hv7x-3x78-gx53 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
vantage6 node has an Improper Access Control issue Moderate
CVE-2026-54533 was published for vantage6 (pip) Jun 5, 2026
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints Moderate
CVE-2026-47279 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks Moderate
CVE-2026-2734 was published for mlflow (pip) May 21, 2026
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass Moderate
CVE-2026-37979 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Moderate
CVE-2026-44774 was published for github.com/traefik/traefik (Go) May 13, 2026
tamemghq Credited to tamemghq
MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API Moderate
CVE-2026-34754 was published for mantisbt/mantisbt (Composer) May 11, 2026
shukla304 Credited to shukla304 and dregad dregad dregad
MantisBT Vulnerable to Privilege Escalation from Manager to Administrator Moderate
CVE-2026-34390 was published for mantisbt/mantisbt (Composer) May 11, 2026
dracosectech-code Credited to dracosectech-code, dregad, and shukla304 dregad dregad
shukla304 shukla304
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels Moderate
CVE-2026-44561 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Funadmin has an Improper Access Control Issue Moderate
CVE-2026-7733 was published for funadmin/funadmin (Composer) May 4, 2026
MindsDB has an Improper Access Control Issue Moderate
CVE-2026-7711 was published for MindsDB (pip) May 4, 2026
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field Moderate
CVE-2026-32699 was published for facturascripts/facturascripts (Composer) Apr 28, 2026
TurkiOS Credited to TurkiOS
Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration Moderate
CVE-2026-40966 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) Apr 28, 2026
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API Moderate
CVE-2026-6596 was published for langflow-base (pip) Apr 20, 2026
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
October Rain has a Twig Sandbox Bypass via Collection Methods Moderate
CVE-2026-22692 was published for october/rain (Composer) Apr 14, 2026
lukasz-rybak Credited to lukasz-rybak and daftspunk daftspunk daftspunk
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
CVE-2026-41398 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard Moderate
CVE-2026-34733 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database