Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,820 advisories

Loading
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL High
CVE-2026-45578 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
epa4all-client: TLS Certificate Validation Disabled in Production High
CVE-2026-45574 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion High
CVE-2026-46491 was published for simplesamlphp/simplesamlphp-module-casserver (Composer) May 15, 2026
kamil-sawicki Credited to kamil-sawicki
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL High
CVE-2026-45717 was published for @budibase/server (npm) May 15, 2026
komyunghan Credited to komyunghan
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration High
CVE-2026-45715 was published for @budibase/server (npm) May 15, 2026
sajdakabir Credited to sajdakabir
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation High
CVE-2026-45548 was published for @budibase/server (npm) May 15, 2026
morimori-dev Credited to morimori-dev
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation High
CVE-2026-45364 was published for better-auth (npm) May 15, 2026
nexryai Credited to nexryai
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request High
GHSA-mxg3-432p-mr72 was published for goshs.de/goshs/v2 (Go) May 15, 2026
offset Credited to offset
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files High
CVE-2026-45062 was published for github.com/dunglas/frankenphp (Go) May 15, 2026
KC1zs4 Credited to KC1zs4, chenjj, and dunglas chenjj chenjj
dunglas dunglas
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class High
CVE-2026-41147 was published for nukeviet/nukeviet (Composer) May 15, 2026
hoaquynhtim99 Credited to hoaquynhtim99 and johnwalker189 johnwalker189 johnwalker189
nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT High
CVE-2026-40092 was published for nimiq-keys (Rust) May 15, 2026
Piravlos Credited to Piravlos
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files High
CVE-2026-22810 was published for @joplin/onenote-converter (npm) May 15, 2026
msiemens Credited to msiemens
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection High
CVE-2026-45370 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj High
CVE-2026-46509 was published for @ranfdev/deepobj (npm) May 14, 2026
0xBassia Credited to 0xBassia
DeepSeek TUI has SSRF‌ IPV6 bypass High
CVE-2026-45373 was published for deepseek-tui (Rust) May 14, 2026
JafarAkhondali Credited to JafarAkhondali
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool High
CVE-2026-45310 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts High
CVE-2026-45675 was published for open-webui (pip) May 14, 2026
sfwani Credited to sfwani and Classic298 Classic298 Classic298
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed High
CVE-2026-45672 was published for open-webui (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order High
CVE-2026-45665 was published for open-webui (npm) May 14, 2026
POV9en Credited to POV9en
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database