GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
13,948 advisories
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
Deno: Denial of service via non-ASCII bytes in WebSocket response headers
Moderate
CVE-2026-55517
was published
for
deno
(Rust)
Jun 17, 2026
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
Moderate
CVE-2026-55636
was published
for
github.com/projectcapsule/capsule
(Go)
Jun 17, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Moderate
CVE-2026-5038
was published
for
multer
(npm)
Jun 17, 2026
Gitea: Open Redirect via redirect_to
Moderate
CVE-2026-25779
was published
for
github.com/go-gitea/gitea
(Go)
Jun 17, 2026
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Moderate
CVE-2026-54324
was published
for
github.com/daytonaio/daytona
(Go)
Jun 17, 2026
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Moderate
CVE-2026-54022
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Moderate
CVE-2026-54021
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
Moderate
CVE-2026-54019
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
Moderate
CVE-2026-54016
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Moderate
CVE-2026-54015
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
Moderate
CVE-2026-54014
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Moderate
CVE-2026-54009
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Moderate
CVE-2026-54006
was published
for
open-webui
(pip)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Base Migration URL
Moderate
CVE-2026-53930
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Stored Cross-Site Scripting via Secure Attachment
Moderate
CVE-2026-53929
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Refresh Tokens Persist Through Password Recovery
Moderate
CVE-2026-53928
was published
for
nocodb
(npm)
Jun 17, 2026
ProTip!
Advisories are also available from the
GraphQL API