Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,820 advisories

Loading
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API High
CVE-2026-44432 was published for urllib3 (pip) May 11, 2026
kimkou2024 Credited to kimkou2024, Cycloctane, illia-v, and pquentin Cycloctane Cycloctane
illia-v illia-v pquentin pquentin
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects High
CVE-2026-44431 was published for urllib3 (pip) May 11, 2026
christos-spearbit Credited to christos-spearbit, illia-v, and sethmlarson illia-v illia-v
sethmlarson sethmlarson
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components High
GHSA-w94c-4vhp-22gx was published for @vitejs/plugin-rsc (npm) May 11, 2026
Next.js Vulnerable to Denial of Service with Server Components High
GHSA-8h8q-6873-q5fj was published for next (npm) May 11, 2026
Facebook React has a Denial of Service Vulnerability in React Server Components High
CVE-2026-23870 was published for react-server-dom-parcel (npm) May 11, 2026
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git High
CVE-2026-45022 was published for github.com/go-git/go-git/v5 (Go) May 11, 2026
adityasaky Credited to adityasaky, wlynch, patzielinski, bugbunny-research, and wayphinder wlynch wlynch
patzielinski patzielinski bugbunny-research bugbunny-research wayphinder wayphinder
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration High
CVE-2026-44971 was published for guarddog (pip) May 11, 2026
bg0d-glitch Credited to bg0d-glitch
Prometheus exporter process crash via malformed HTTP request High
CVE-2026-44902 was published for @opentelemetry/auto-instrumentations-node (npm) May 11, 2026
homanp Credited to homanp, pichlermarc, and arminru pichlermarc pichlermarc
arminru arminru
Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043) High
CVE-2026-44346 was published for bentoml (pip) May 11, 2026
SSJCorpSec Credited to SSJCorpSec
BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043) High
CVE-2026-44345 was published for bentoml (pip) May 11, 2026
SSJCorpSec Credited to SSJCorpSec
Open WebUI has inconsistent authorization controls within memories API High
CVE-2026-44570 was published for open-webui (pip) May 11, 2026
Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication High
CVE-2026-44985 was published for github.com/amir20/dozzle (Go) May 11, 2026
q1uf3ng Credited to q1uf3ng
Open WebUI's Insecure Message Access Breaks Authorization High
CVE-2026-44569 was published for open-webui (pip) May 11, 2026
geckosecurity Credited to geckosecurity
Open WebUI Arbitrary File Write, Delete via Path Traversal High
CVE-2026-44565 was published for open-webui (pip) May 11, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures and Classic298 Classic298 Classic298
Open WebUI has a CORS misconfiguration and session validation issue High
GHSA-6xcp-7mpr-m7wm was published for open-webui (pip) May 11, 2026
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute High
CVE-2026-44339 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution High
CVE-2026-44338 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass High
CVE-2026-42595 was published for github.com/gotenberg/gotenberg/v8 (Go) May 11, 2026
AyushParkara Credited to AyushParkara
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs High
CVE-2026-41705 was published for org.springframework.ai:spring-ai-milvus-store (Maven) May 9, 2026
Velocity.js has a Prototype Pollution vulnerability through #set path assignment High
CVE-2026-44966 was published for velocityjs (npm) May 9, 2026
yumarun Credited to yumarun
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools High
CVE-2026-44895 was published for @yoda.digital/gitlab-mcp-server (npm) May 9, 2026
smallbitvec: Integer overflow in safe API leads to heap buffer overflow High
CVE-2026-44983 was published for smallbitvec (Rust) May 9, 2026
ksj1230 Credited to ksj1230
epa4all-client has a VAU Signature bypass High
CVE-2026-44900 was published for com.oviva.telematik:epa4all-client (Maven) May 8, 2026
snomi Credited to snomi and Volcore Volcore Volcore
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath High
GHSA-mv93-w799-cj2w was published for GitPython (pip) May 8, 2026
aslein1413-sys Credited to aslein1413-sys
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database