GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
51 advisories
Filter by severity
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
LangGraph SDK has unsafe URL path construction
Moderate
CVE-2026-48776
was published
for
langgraph-sdk
(pip)
Jun 25, 2026
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
CVE-2026-56074
was published
for
praisonaiagents
(pip)
Apr 10, 2026
Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Moderate
GHSA-x44p-gg67-52fc
was published
for
praisonai
(pip)
Jun 19, 2026
•
withdrawn
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Moderate
CVE-2026-54022
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Moderate
CVE-2026-54021
was published
for
open-webui
(pip)
Jun 17, 2026
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
Moderate
CVE-2026-44564
was published
for
open-webui
(pip)
May 8, 2026
Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
Moderate
CVE-2026-44681
was published
for
authlib
(pip)
May 13, 2026
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
Moderate
CVE-2026-42312
was published
for
pyload-ng
(pip)
May 4, 2026
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Moderate
CVE-2026-35586
was published
for
pyload-ng
(pip)
Apr 8, 2026
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends
Moderate
CVE-2026-42526
was published
for
apache-airflow-providers-amazon
(pip)
May 19, 2026
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
Moderate
CVE-2026-45339
was published
for
open-webu
(pip)
May 14, 2026
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
Moderate
CVE-2026-44561
was published
for
open-webui
(pip)
May 8, 2026
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Moderate
CVE-2026-44557
was published
for
open-webui
(pip)
May 8, 2026
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
Moderate
CVE-2026-44558
was published
for
open-webui
(pip)
May 8, 2026
CKAN has Unauthenticated Authorization Bypass in `datastore_search_sql`
Moderate
CVE-2026-42032
was published
for
ckan
(pip)
Apr 30, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
Moderate
CVE-2026-40071
was published
for
pyload-ng
(pip)
Apr 8, 2026
openssl-encrypt has CORS wildcard with allow_credentials=True in standalone servers
Moderate
GHSA-c65f-x25w-62jv
was published
for
openssl-encrypt
(pip)
Apr 1, 2026
Apache Superset: Improper authorization validation on dashboards and charts import
Moderate
CVE-2024-26016
was published
for
apache-superset
(pip)
Feb 28, 2024
Apache Superset: Improper validation of SQL statements allows for unauthorized access to data
Moderate
CVE-2024-24773
was published
for
apache-superset
(pip)
Feb 28, 2024
Apache Superset: Improper data authorization when creating a new dataset
Moderate
CVE-2024-24779
was published
for
apache-superset
(pip)
Feb 28, 2024
OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions
Moderate
CVE-2015-5251
was published
for
glance
(pip)
May 17, 2022
trytond does not enforce access rights for data export
Moderate
CVE-2025-66424
was published
for
trytond
(pip)
Nov 30, 2025
ansible-core Incorrect Authorization vulnerability
Moderate
CVE-2024-9902
was published
for
ansible-core
(pip)
Nov 6, 2024
Apache Superset Allows Ownership Takeover
Moderate
CVE-2025-27696
was published
for
apache-superset
(pip)
May 13, 2025
ProTip!
Advisories are also available from the
GraphQL API