Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,096 advisories

Loading
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username Moderate
CVE-2026-45309 was published for asyncssh (pip) May 27, 2026
0xHunSec Credited to 0xHunSec
Weblate has a Server-Side Request Forgery issue Moderate
CVE-2025-66407 was published for Weblate (pip) May 26, 2026
secjson Credited to secjson and nijel nijel nijel
instagrapi: Unsafe signup challenge path handling in instagrapi Moderate
GHSA-ggxf-37hm-9wqf was published for instagrapi (pip) May 23, 2026
trophyxxx Credited to trophyxxx
aiograpi: Unsafe signup challenge path handling Moderate
CVE-2026-47157 was published for aiograpi (pip) May 23, 2026
trophyxxx Credited to trophyxxx
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance Moderate
CVE-2026-46715 was published for Flask-Security-Too (pip) May 22, 2026
0xHunSec Credited to 0xHunSec
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) Moderate
CVE-2026-46678 was published for pydantic-ai (pip) May 21, 2026
j0hndo Credited to j0hndo
SQLAdmin: Authorization Bypass on `ajax_lookup` Moderate
CVE-2026-46645 was published for sqladmin (pip) May 21, 2026
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL Moderate
CVE-2026-46556 was published for flaskbb (pip) May 21, 2026
woohyunchoi-kentech Credited to woohyunchoi-kentech, programsurf, and yoonsh programsurf programsurf
yoonsh yoonsh
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API Moderate
CVE-2026-46561 was published for pyload-ng (pip) May 21, 2026
offset Credited to offset
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler Moderate
CVE-2026-8597 was published for sagemaker (pip) May 21, 2026
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path Moderate
CVE-2026-46338 was published for pymdown-extensions (pip) May 19, 2026
gistrec Credited to gistrec
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix Moderate
CVE-2026-45409 was published for idna (pip) May 19, 2026
StanFromIreland Credited to StanFromIreland and kjd kjd kjd
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes Moderate
CVE-2026-45554 was published for nicegui (pip) May 18, 2026
bitinerant Credited to bitinerant, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check Moderate
GHSA-74r7-3mjm-jc5v was published for edumfa (pip) May 18, 2026
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
Weblate: Stored HTML injection in editor search preview Moderate
CVE-2026-45106 was published for weblate (pip) May 15, 2026
adrgs Credited to adrgs, aisafe-bot, nijel, and KarenKonou aisafe-bot aisafe-bot
nijel nijel KarenKonou KarenKonou
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) Moderate
CVE-2026-45667 was published for open-webui (pip) May 14, 2026
densi97 Credited to densi97
Open WebUI has an Indirect Object Reference (IDOR) in user notes Moderate
CVE-2026-45666 was published for open-webui (pip) May 14, 2026
zeeshanyshaikh Credited to zeeshanyshaikh
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure Moderate
CVE-2026-45397 was published for open-webui (pip) May 14, 2026
0xRyuzak1 Credited to 0xRyuzak1
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation Moderate
CVE-2026-45396 was published for open-webui (pip) May 14, 2026
yantongggg Credited to yantongggg
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage) Moderate
CVE-2026-45387 was published for open-webui (pip) May 14, 2026
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint Moderate
CVE-2026-45386 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint Moderate
CVE-2026-45385 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] Moderate
CVE-2026-45365 was published for open-webui (pip) May 14, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database