Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,628 advisories

Loading
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) Low
CVE-2026-45316 was published for open-webui (pip) May 14, 2026
qi-scape Credited to qi-scape and Classic298 Classic298 Classic298
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image High
CVE-2026-45314 was published for open-webui (pip) May 14, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
reindaelman reindaelman grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad Moderate
CVE-2026-45306 was published for pyload-ng (pip) May 14, 2026
NSSYS Credited to NSSYS
Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/ Moderate
GHSA-g39v-cvjh-8fpf was published for ha-mcp (pip) May 14, 2026
bharat Credited to bharat
Open WebUI has stored XSS via the HTML renedering view High
CVE-2026-45303 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file High
CVE-2026-45301 was published for open-webui (pip) May 14, 2026
vi11ain Credited to vi11ain
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Open WebUI has Stored Cross-Site Scripting In Profile Picture Moderate
CVE-2026-45299 was published for open-webui (pip) May 14, 2026
raresvis Credited to raresvis, Gh05t666nero, and Classic298 Gh05t666nero Gh05t666nero
Classic298 Classic298
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin Moderate
CVE-2026-45021 was published for github.com/kumahq/kuma (Go) May 14, 2026
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override High
CVE-2026-44541 was published for ethyca-fides (pip) May 14, 2026
daveqnet Credited to daveqnet
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget High
CVE-2026-45012 was published for apostrophe (npm) May 14, 2026
yigitsengezer Credited to yigitsengezer
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` Critical
CVE-2026-44990 was published for sanitize-html (npm) May 14, 2026
sushi-gif Credited to sushi-gif
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections High
GHSA-7rx4-c5vx-g8w3 was published for @karakeep/sdk (npm) May 14, 2026
CE2Sec Credited to CE2Sec
go-billy has path traversal vulnerabilities High
CVE-2026-44973 was published for github.com/go-git/go-billy/v5 (Go) May 14, 2026
faran66 Credited to faran66 and vnykmshr vnykmshr vnykmshr
dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction Low
CVE-2026-44970 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled Low
CVE-2026-44969 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters Moderate
CVE-2026-44968 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
Mistune Image Directive CSS Injection Vulnerability Moderate
CVE-2026-44899 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune TOC Anchor Injection XSS Moderate
CVE-2026-44898 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Portainer missing authorization on custom template file endpoint, which exposes template content Moderate
CVE-2026-44884 was published for github.com/portainer/portainer (Go) May 14, 2026
duddnr0615k Credited to duddnr0615k
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database