Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

125,465 advisories

Loading
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects High
CVE-2026-44431 was published for urllib3 (pip) May 11, 2026
christos-spearbit Credited to christos-spearbit, illia-v, and sethmlarson illia-v illia-v
sethmlarson sethmlarson
protobuf.js: Code injection in pbjs static output from crafted schema names High
CVE-2026-44295 was published for protobufjs-cli (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code generation gadget after prototype pollution High
CVE-2026-44291 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Process-wide denial of service through unsafe option paths High
CVE-2026-44290 was published for protobufjs (npm) May 12, 2026
AKiileX Credited to AKiileX, VladimirEliTokarev, and dcodeIO VladimirEliTokarev VladimirEliTokarev
dcodeIO dcodeIO
protobuf.js: Denial of service through unbounded protobuf recursion High
CVE-2026-44289 was published for protobufjs (npm) May 12, 2026
peaktwilight Credited to peaktwilight, VladimirEliTokarev, AKiileX, tndud042713, dcodeIO, and alexander-fenster VladimirEliTokarev VladimirEliTokarev
AKiileX AKiileX tndud042713 tndud042713 dcodeIO dcodeIO alexander-fenster alexander-fenster
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
protobuf.js is Vulnerable to OS Command Injection in the CLI High
CVE-2026-42290 was published for protobufjs-cli (npm) May 12, 2026
0x5t4l1n Credited to 0x5t4l1n and dcodeIO dcodeIO dcodeIO
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
DeepSeek TUI has SSRF‌ IPV6 bypass High
CVE-2026-45373 was published for deepseek-tui (Rust) May 14, 2026
JafarAkhondali Credited to JafarAkhondali
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool High
CVE-2026-45310 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url High
GHSA-3wgj-c2hg-vm6q was published for open-webui (pip) May 14, 2026
matte1782 Credited to matte1782
Open WebUI's chat completion API allows tool restrictions to be bypassed High
CVE-2026-45350 was published for open-webui (pip) May 14, 2026
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal High
CVE-2026-45348 was published for pyload-ng (pip) May 14, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py) High
CVE-2026-45338 was published for open-webui (pip) May 14, 2026
Sebasteuo Credited to Sebasteuo
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image High
CVE-2026-45314 was published for open-webui (pip) May 14, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
reindaelman reindaelman grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Open WebUI has stored XSS via the HTML renedering view High
CVE-2026-45303 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file High
CVE-2026-45301 was published for open-webui (pip) May 14, 2026
vi11ain Credited to vi11ain
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override High
CVE-2026-44541 was published for ethyca-fides (pip) May 14, 2026
daveqnet Credited to daveqnet
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a... High Unreviewed
CVE-2025-27850 was published May 13, 2026
Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via... High Unreviewed
CVE-2024-55045 was published May 13, 2026
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place... High Unreviewed
CVE-2026-43284 was published May 8, 2026
Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information... High Unreviewed
CVE-2025-15024 was published May 14, 2026
Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and... High Unreviewed
CVE-2025-15023 was published May 14, 2026
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could... High Unreviewed
CVE-2026-20224 was published May 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database