Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

364 advisories

Loading
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path Moderate
CVE-2026-46338 was published for pymdown-extensions (pip) May 19, 2026
gistrec Credited to gistrec
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion High
CVE-2026-45727 was published for cloakbrowser (pip) May 18, 2026
0xlally Credited to 0xlally
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py Low
CVE-2026-8754 was published for AstrBot (pip) May 17, 2026
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem High
CVE-2026-2614 was published for mlflow (pip) May 11, 2026
python-liquid: Absolute paths escape filesystem loader search path High
CVE-2026-45017 was published for python-liquid (pip) May 11, 2026
0xHunSec Credited to 0xHunSec
Open WebUI Arbitrary File Write, Delete via Path Traversal High
CVE-2026-44565 was published for open-webui (pip) May 11, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures and Classic298 Classic298 Classic298
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal High
CVE-2026-44566 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
`potato-annotation` has a Project-Boundary Bypass Moderate
GHSA-q9m2-fhv9-3jcf was published for potato-annotation (pip) May 8, 2026
QiaoNPC Credited to QiaoNPC
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install High
CVE-2026-44641 was published for apm-cli (pip) May 7, 2026
0xmrma Credited to 0xmrma
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup High
CVE-2026-44307 was published for Mako (pip) May 6, 2026
0xHunSec Credited to 0xHunSec
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository High
CVE-2026-44243 was published for GitPython (pip) May 6, 2026
kkkh1 Credited to kkkh1
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data High
CVE-2026-42315 was published for pyload-ng (pip) May 5, 2026
Sab44 Credited to Sab44
PyLoad Vulnerable to Path Traversal via Package Folder Name Moderate
CVE-2026-42314 was published for pyload-ng (pip) May 5, 2026
l3tchupkt Credited to l3tchupkt
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured Moderate
CVE-2026-43901 was published for wireshark-mcp (pip) May 5, 2026
bx33661 Credited to bx33661
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
PPTAgent: Arbitrary File Write via `save_generated_slides` Moderate
CVE-2026-42080 was published for pptagent (pip) May 5, 2026
Koukyosyumei Credited to Koukyosyumei
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database