Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,085 advisories

Loading
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) Moderate
CVE-2026-46678 was published for pydantic-ai (pip) May 21, 2026
j0hndo Credited to j0hndo
SQLAdmin: Authorization Bypass on `ajax_lookup` Moderate
CVE-2026-46645 was published for sqladmin (pip) May 21, 2026
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL Moderate
CVE-2026-46556 was published for flaskbb (pip) May 21, 2026
woohyunchoi-kentech Credited to woohyunchoi-kentech, programsurf, and yoonsh programsurf programsurf
yoonsh yoonsh
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API Moderate
CVE-2026-46561 was published for pyload-ng (pip) May 21, 2026
offset Credited to offset
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler Moderate
CVE-2026-8597 was published for sagemaker (pip) May 21, 2026
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path Moderate
CVE-2026-46338 was published for pymdown-extensions (pip) May 19, 2026
gistrec Credited to gistrec
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix Moderate
CVE-2026-45409 was published for idna (pip) May 19, 2026
StanFromIreland Credited to StanFromIreland and kjd kjd kjd
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes Moderate
CVE-2026-45554 was published for nicegui (pip) May 18, 2026
bitinerant Credited to bitinerant, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check Moderate
GHSA-74r7-3mjm-jc5v was published for edumfa (pip) May 18, 2026
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install` Moderate
CVE-2026-46383 was published for apm-cli (pip) May 15, 2026
0xmrma Credited to 0xmrma
Weblate: Stored HTML injection in editor search preview Moderate
CVE-2026-45106 was published for weblate (pip) May 15, 2026
adrgs Credited to adrgs, aisafe-bot, nijel, and KarenKonou aisafe-bot aisafe-bot
nijel nijel KarenKonou KarenKonou
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) Moderate
CVE-2026-45667 was published for open-webui (pip) May 14, 2026
densi97 Credited to densi97
Open WebUI has an Indirect Object Reference (IDOR) in user notes Moderate
CVE-2026-45666 was published for open-webui (pip) May 14, 2026
zeeshanyshaikh Credited to zeeshanyshaikh
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure Moderate
CVE-2026-45397 was published for open-webui (pip) May 14, 2026
0xRyuzak1 Credited to 0xRyuzak1
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation Moderate
CVE-2026-45396 was published for open-webui (pip) May 14, 2026
yantongggg Credited to yantongggg
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage) Moderate
CVE-2026-45387 was published for open-webui (pip) May 14, 2026
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint Moderate
CVE-2026-45386 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint Moderate
CVE-2026-45385 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] Moderate
CVE-2026-45365 was published for open-webui (pip) May 14, 2026
johnatzeropath Credited to johnatzeropath and LeftenantZero LeftenantZero LeftenantZero
Open WebUI Exposes System Prompt to Regular User [Non-Admin] Moderate
CVE-2026-45351 was published for open-webui (pip) May 14, 2026
shahzaibak96 Credited to shahzaibak96
Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function Moderate
CVE-2026-45347 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI missing authorization check at the model update function - models from other users can be updated Moderate
CVE-2026-45345 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints Moderate
CVE-2026-45339 was published for open-webu (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS and Classic298 Classic298 Classic298
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation Moderate
CVE-2026-45317 was published for open-webui (pip) May 14, 2026
bray-sec Credited to bray-sec and Classic298 Classic298 Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database