Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,473 advisories

Loading
The create and edit flows do not restrict which user properties may be submitted and do not... Moderate Unreviewed
CVE-2026-46721 was published May 19, 2026
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows... Critical Unreviewed
CVE-2026-41947 was published May 18, 2026
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview... High Unreviewed
CVE-2026-41949 was published May 18, 2026
AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin High
GHSA-qxvm-r42f-5p8j was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint High
CVE-2026-44692 was published for code16/sharp (Composer) May 15, 2026
baradika Credited to baradika
Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with... High Unreviewed
CVE-2026-8629 was published May 14, 2026
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI has an Indirect Object Reference (IDOR) in user notes Moderate
CVE-2026-45666 was published for open-webui (pip) May 14, 2026
zeeshanyshaikh Credited to zeeshanyshaikh
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls High
CVE-2026-45398 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, johnatzeropath, and LeftenantZero johnatzeropath johnatzeropath
LeftenantZero LeftenantZero
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint Moderate
CVE-2026-45386 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint Moderate
CVE-2026-45385 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has Broken Access Control for Completions API High
CVE-2026-45349 was published for open-webui (pip) May 14, 2026
savvaki Credited to savvaki
n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints High
CVE-2026-45732 was published for n8n (npm) May 14, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology... High Unreviewed
CVE-2025-15025 was published May 14, 2026
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and... High Unreviewed
CVE-2025-12008 was published May 14, 2026
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology,... Moderate Unreviewed
CVE-2026-6008 was published May 14, 2026
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘... High Unreviewed
CVE-2026-5798 was published May 14, 2026
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment High
CVE-2026-42863 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42862 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42861 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software... Critical Unreviewed
CVE-2026-2347 was published May 14, 2026
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to,... Moderate Unreviewed
CVE-2026-6206 was published May 14, 2026
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin... High Unreviewed
CVE-2026-5395 was published May 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database