Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

11,261 advisories

Loading
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects High
CVE-2026-54018 was published for open-webui (pip) Jun 17, 2026
POV9en Credited to POV9en and Classic298 Classic298 Classic298
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS High
CVE-2026-55470 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
handlebars.java FileTemplateLoader Path Traversal High
CVE-2026-55760 was published for com.github.jknack:handlebars (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
Filament: Disabled RichEditor field state can be used for XSS High
CVE-2026-55409 was published for filament/forms (Composer) Jun 17, 2026
mike197312 Credited to mike197312 and danharrin danharrin danharrin
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector High
CVE-2026-55405 was published for dev.langchain4j:langchain4j-mariadb (Maven) Jun 17, 2026
v9d0g Credited to v9d0g and oscarpg oscarpg oscarpg
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes High
CVE-2026-24791 was published for code.gitea.io/gitea (Go) Jun 17, 2026
kamil-sawicki Credited to kamil-sawicki
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration High
CVE-2026-22555 was published for code.gitea.io/gitea (Go) Jun 17, 2026
andrejtomci Credited to andrejtomci
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal High
CVE-2026-54017 was published for open-webui (pip) Jun 17, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa, sermikr0, and Classic298 sermikr0 sermikr0
Classic298 Classic298
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin High
CVE-2026-53840 was published for openclaw (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Open WebUI: Stored XSS to Account Takeover via Model Profile Images High
CVE-2026-54013 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n and Classic298 Classic298 Classic298
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion High
CVE-2026-54012 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, and Classic298 5yu4n 5yu4n
Classic298 Classic298
Open WebUI: Stored XSS in Mermaid Markdown Preview High
CVE-2026-54011 was published for open-webui (pip) Jun 17, 2026
ixSly Credited to ixSly and Classic298 Classic298 Classic298
Open WebUI: Forged chat-file link allows cross-user file read and deletion High
CVE-2026-54010 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, Classic298, and oxsignal 5yu4n 5yu4n
Classic298 Classic298 oxsignal oxsignal
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401) High
CVE-2026-54008 was published for open-webui (pip) Jun 17, 2026
matte1782 Credited to matte1782 and Classic298 Classic298 Classic298
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit High
CVE-2026-54007 was published for open-webui (pip) Jun 17, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1 Classic298 Classic298
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts High
CVE-2026-54328 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Laravel Framework: CRLF injection in default email rule High
GHSA-5vg9-5847-vvmq was published for laravel/framework (Composer) Jun 17, 2026
OmarXtream Credited to OmarXtream
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026 withdrawn
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo High
CVE-2026-26231 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ddd Credited to ddd
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication High
CVE-2026-28699 was published for code.gitea.io/gitea (Go) Jun 16, 2026
Alardiians Credited to Alardiians
Gogs: Overwriting critical files results in a denial of service High
CVE-2026-52797 was published for gogs.io/gogs (Go) Jun 16, 2026
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens High
CVE-2026-28744 was published for code.gitea.io/gitea (Go) Jun 16, 2026
ohxorud-dev Credited to ohxorud-dev and lunny lunny lunny
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host High
CVE-2026-54304 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database