Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

10,820 advisories

Loading
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Phpseclib needs guardrails on large binaryfield integers High
CVE-2023-49316 was published for phpseclib/phpseclib (Composer) May 8, 2026
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating High
CVE-2026-44328 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC NRF: type-confusion panic in POST /oauth2/token structured-form parser via Reflect.Set on incompatible types High
CVE-2026-44325 was published for github.com/free5gc/nrf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference High
CVE-2026-44322 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf) High
CVE-2026-44321 was published for github.com/free5gc/smf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path High
CVE-2026-44320 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri) High
CVE-2026-44319 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference High
CVE-2026-44316 was published for github.com/free5gc/pcf (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal High
CVE-2026-44566 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
Open WebUI has Improper Authorization Control High
CVE-2026-44567 was published for open-webui (pip) May 8, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures
Open WebUI has stored XSS in Excel file preview High
CVE-2026-44549 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Snipe-IT has Privilege Escalation via API Permissions Assignment High
CVE-2026-44832 was published for snipe/snipe-it (Composer) May 8, 2026
lorenzofradeani Credited to lorenzofradeani
banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI High
CVE-2026-44209 was published for banks (pip) May 8, 2026
Anandakrishnasv Credited to Anandakrishnasv
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input High
CVE-2026-44728 was published for @babel/plugin-transform-modules-systemjs (npm) May 8, 2026
JLHwung Credited to JLHwung, daniel-msft, and nicolo-ribaudo daniel-msft daniel-msft
nicolo-ribaudo nicolo-ribaudo
Phoenix: Long-poll NDJSON body splitting causes large memory allocation High
CVE-2026-32689 was published for phoenix (Erlang) May 8, 2026
PJUllrich Credited to PJUllrich
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite High
CVE-2026-44554 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's responses passthrough endpoint lacks access control authorization High
CVE-2026-44556 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining High
CVE-2026-44555 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning High
CVE-2026-44552 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access High
CVE-2026-44553 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys High
CVE-2026-44680 was published for @mikro-orm/knex (npm) May 8, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters High
CVE-2026-6322 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning High
CVE-2026-44499 was published for zebrad (Rust) May 8, 2026
mpguerra Credited to mpguerra
open-webui Vulnerable to Stored XSS via Model Description High
CVE-2026-44721 was published for open-webui (npm) May 8, 2026
fr0stydev Credited to fr0stydev and Classic298 Classic298 Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database