Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

364 advisories

Loading
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py Low
CVE-2026-8754 was published for AstrBot (pip) May 17, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Mako: Path traversal via double-slash URI prefix in TemplateLookup High
CVE-2026-41205 was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec and augustocesarperin augustocesarperin augustocesarperin
SaltStack Salt Directory traversal vulnerability in minion id validation Critical
CVE-2017-12791 was published for salt (pip) May 17, 2022
Gradio Path Traversal vulnerability High
CVE-2024-0964 was published for gradio (pip) Feb 6, 2024
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path Moderate
CVE-2026-46338 was published for pymdown-extensions (pip) May 19, 2026
gistrec Credited to gistrec
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal High
CVE-2026-44566 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
Open WebUI Arbitrary File Write, Delete via Path Traversal High
CVE-2026-44565 was published for open-webui (pip) May 11, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures and Classic298 Classic298 Classic298
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion High
CVE-2026-45727 was published for cloakbrowser (pip) May 18, 2026
0xlally Credited to 0xlally
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem High
CVE-2026-2614 was published for mlflow (pip) May 11, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup High
CVE-2026-44307 was published for Mako (pip) May 6, 2026
0xHunSec Credited to 0xHunSec
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
Langflow Knowledge Bases API is Vulnerable to Path Traversal Critical
CVE-2026-42048 was published for langflow (pip) May 5, 2026
ddlxstudio Credited to ddlxstudio, nekros1xx, AntonioABLima, Cristhianzl, and andifilhohub nekros1xx nekros1xx
AntonioABLima AntonioABLima Cristhianzl Cristhianzl andifilhohub andifilhohub
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured Moderate
CVE-2026-43901 was published for wireshark-mcp (pip) May 5, 2026
bx33661 Credited to bx33661
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data High
CVE-2026-42315 was published for pyload-ng (pip) May 5, 2026
Sab44 Credited to Sab44
PyLoad Vulnerable to Path Traversal via Package Folder Name Moderate
CVE-2026-42314 was published for pyload-ng (pip) May 5, 2026
l3tchupkt Credited to l3tchupkt
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider High
CVE-2026-42351 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
python-liquid: Absolute paths escape filesystem loader search path High
CVE-2026-45017 was published for python-liquid (pip) May 11, 2026
0xHunSec Credited to 0xHunSec
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database