Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

645 advisories

Loading
vantage6 node has an Improper Access Control issue Moderate
CVE-2026-54533 was published for vantage6 (pip) Jun 5, 2026
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion High
CVE-2026-54012 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, and Classic298 5yu4n 5yu4n
Classic298 Classic298
Open WebUI: Forged chat-file link allows cross-user file read and deletion High
CVE-2026-54010 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, Classic298, and oxsignal 5yu4n 5yu4n
Classic298 Classic298 oxsignal oxsignal
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting
Caddy: Windows `file_server` path authorization bypass via encoded backslash High
CVE-2026-52844 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks Moderate
CVE-2026-49411 was published for deno (Rust) Jun 16, 2026
sugarless1101 Credited to sugarless1101
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint Moderate
GHSA-hv7x-3x78-gx53 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
Local settings bypass config trust checks High
CVE-2026-35533 was published for mise (Rust) Apr 7, 2026
kq5y Credited to kq5y
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam and A7um A7um A7um
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking High
CVE-2026-44249 was published for io.netty:netty-handler (Maven) Jun 8, 2026
violetagg Credited to violetagg
MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks Moderate
CVE-2026-2734 was published for mlflow (pip) May 21, 2026
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger Critical
CVE-2026-46614 was published for github.com/fission/fission (Go) May 21, 2026
FORIMOC Credited to FORIMOC, Yuremin, and sanketsudake Yuremin Yuremin
sanketsudake sanketsudake
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket High
CVE-2026-48034 was published for @hulumi/policies (npm) Jun 10, 2026
kerberosmansour Credited to kerberosmansour
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment High
CVE-2026-42863 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42862 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42861 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input Critical
CVE-2026-42074 was published for openclaude (npm) May 12, 2026
Rosayxy Credited to Rosayxy
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` Moderate
CVE-2026-46337 was published for WWBN/AVideo (Composer) May 19, 2026
pr3ungdt Credited to pr3ungdt
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete High
CVE-2026-45707 was published for n8n-mcp (npm) May 18, 2026
u-ktdi Credited to u-ktdi
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database