Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

22 advisories

Loading
Keylime registrar and (untrusted) Agent can be bypassed by an attacker High
CVE-2023-38201 was published for keylime (pip) Sep 6, 2023
AsyncSSH Rogue Session Attack High
CVE-2023-46446 was published for asyncssh (pip) Nov 9, 2023
TrueSkrillor Credited to TrueSkrillor and lambdafu lambdafu lambdafu
Sentry improperly authorizes deletion of user issue alert notifications High
CVE-2024-45605 was published for sentry (pip) Sep 17, 2024
javeedsk8341 Credited to javeedsk8341
Sentry improperly authorizes muting of alert rules High
CVE-2024-45606 was published for sentry (pip) Sep 17, 2024
emanuelbeni Credited to emanuelbeni
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability High
CVE-2026-1707 was published for pgadmin4 (pip) Feb 5, 2026
Langflow is Missing Ownership Verification in API Key Deletion (IDOR) High
CVE-2026-33053 was published for langflow (pip) Mar 18, 2026
FaizanKolega Credited to FaizanKolega, kolega-ai-dev, andifilhohub, and erichare kolega-ai-dev kolega-ai-dev
andifilhohub andifilhohub erichare erichare
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check High
CVE-2026-34046 was published for langflow (pip) Mar 27, 2026
chximn-dt Credited to chximn-dt and AntonioABLima AntonioABLima AntonioABLima
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) High
CVE-2026-44504 was published for aegra-api (pip) May 7, 2026
victorjmarin Credited to victorjmarin
Open WebUI has inconsistent authorization controls within memories API High
CVE-2026-44570 was published for open-webui (pip) May 11, 2026
Open WebUI has Broken Access Control for Completions API High
CVE-2026-45349 was published for open-webui (pip) May 14, 2026
savvaki Credited to savvaki
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls High
CVE-2026-45398 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, johnatzeropath, and LeftenantZero johnatzeropath johnatzeropath
LeftenantZero LeftenantZero
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API High
CVE-2026-48169 was published for praisonai-platform (pip) May 29, 2026
joshuaalwin Credited to joshuaalwin
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID High
CVE-2026-47399 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks High
CVE-2026-47406 was published for praisonai-platform (pip) May 29, 2026
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) High
CVE-2026-47414 was published for praisonai-platform (pip) May 29, 2026
offset Credited to offset
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47418 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR High
CVE-2026-47417 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47415 was published for praisonai-platform (pip) Jun 1, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database