Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

13,456 advisories

Loading
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer Moderate
CVE-2026-45346 was published for open-webui (npm) May 14, 2026
ZoczuS Credited to ZoczuS
Open WebUI missing authorization check at the model update function - models from other users can be updated Moderate
CVE-2026-45345 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints Moderate
CVE-2026-45339 was published for open-webu (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS and Classic298 Classic298 Classic298
Svelte SSR vulnerable to cross-site scripting via spread attributes Moderate
CVE-2026-42599 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation Moderate
CVE-2026-45317 was published for open-webui (pip) May 14, 2026
bray-sec Credited to bray-sec and Classic298 Classic298 Classic298
Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify) Moderate
CVE-2026-45318 was published for open-webui (pip) May 14, 2026
foodlook Credited to foodlook
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad Moderate
CVE-2026-45306 was published for pyload-ng (pip) May 14, 2026
NSSYS Credited to NSSYS
Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/ Moderate
GHSA-g39v-cvjh-8fpf was published for ha-mcp (pip) May 14, 2026
bharat Credited to bharat
Open WebUI has Stored Cross-Site Scripting In Profile Picture Moderate
CVE-2026-45299 was published for open-webui (pip) May 14, 2026
raresvis Credited to raresvis, Gh05t666nero, and Classic298 Gh05t666nero Gh05t666nero
Classic298 Classic298
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin Moderate
CVE-2026-45021 was published for github.com/kumahq/kuma (Go) May 14, 2026
dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters Moderate
CVE-2026-44968 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
Mistune Image Directive CSS Injection Vulnerability Moderate
CVE-2026-44899 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune TOC Anchor Injection XSS Moderate
CVE-2026-44898 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Portainer missing authorization on custom template file endpoint, which exposes template content Moderate
CVE-2026-44884 was published for github.com/portainer/portainer (Go) May 14, 2026
duddnr0615k Credited to duddnr0615k
Portainer has a path traversal in backup archive extraction that allows arbitrary file write Moderate
CVE-2026-44885 was published for github.com/portainer/portainer (Go) May 14, 2026
kolega-ai-dev Credited to kolega-ai-dev
Synapse pagination Denial of Service Moderate
CVE-2026-45076 was published for matrix-synapse (pip) May 14, 2026
pyzipper has an encryption bypass for small files encrypted using it Moderate
CVE-2026-44722 was published for pyzipper (pip) May 14, 2026
llavarello Credited to llavarello
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input Moderate
CVE-2026-42853 was published for @apostrophecms/cli (npm) May 14, 2026
VadlaReddySai Credited to VadlaReddySai and Chittu13 Chittu13 Chittu13
Fleet: IP spoofing allows bypassing API rate limiting Moderate
CVE-2026-46356 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet vulnerable to OS command injection in software packages Moderate
CVE-2026-26191 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Fleet has a rate limiting bypass via untrusted client IP headers Moderate
CVE-2026-24000 was published for github.com/fleetdm/fleet/v4 (Go) May 14, 2026
Strapi Upload Plugin MIME Validation Bypass via Content API Moderate
CVE-2026-22707 was published for @strapi/upload (npm) May 14, 2026
kaminuma Credited to kaminuma and arkmarta arkmarta arkmarta
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying Moderate
CVE-2025-64526 was published for @strapi/plugin-users-permissions (npm) May 13, 2026
adriatikii Credited to adriatikii and derrickmehaffy derrickmehaffy derrickmehaffy
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database