Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,981 advisories

Loading
MLflow: unauthenticated access to certain FastAPI routes High
CVE-2026-2652 was published for mlflow (pip) May 15, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path High
CVE-2026-8596 was published for sagemaker (pip) May 21, 2026
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
GHSA-vrxg-gm77-7q5g was published for windows-mcp (pip) May 21, 2026
JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
Scrapy denial of service vulnerability High
CVE-2017-14158 was published for scrapy (pip) May 17, 2022
jhutchings1 Credited to jhutchings1, G-Rath, ayatweb, and Matthew-Grayson G-Rath G-Rath
ayatweb ayatweb Matthew-Grayson Matthew-Grayson
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None High
GHSA-mw8f-w6p8-xrf4 was published for wger (pip) May 20, 2026
HiyokoSauna37 Credited to HiyokoSauna37
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
gal-zafran Credited to gal-zafran
Mako: Path traversal via double-slash URI prefix in TemplateLookup High
CVE-2026-41205 was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec and augustocesarperin augustocesarperin augustocesarperin
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default High
CVE-2024-6221 was published for Flask-Cors (pip) Aug 18, 2024
adrianosela Credited to adrianosela, Alex-ley-scrub, and icarocd Alex-ley-scrub Alex-ley-scrub
icarocd icarocd
Gradio Path Traversal vulnerability High
CVE-2024-0964 was published for gradio (pip) Feb 6, 2024
Improper query string handling in Django High
CVE-2010-4534 was published for Django (pip) Jul 23, 2018
MarkLee131 Credited to MarkLee131
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser High
CVE-2026-46374 was published for sqlfluff (pip) May 19, 2026
SQLFluff: Recursive Stack Overflow in Parser High
CVE-2026-46373 was published for sqlfluff (pip) May 19, 2026
Cross-site request forgery in Django High
CVE-2011-0696 was published for Django (pip) Jul 23, 2018
MarkLee131 Credited to MarkLee131
SQL injection in Django High
CVE-2020-9402 was published for Django (pip) Jun 5, 2020
sunSUNQ Credited to sunSUNQ
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Open WebUI's chat completion API allows tool restrictions to be bypassed High
CVE-2026-45350 was published for open-webui (pip) May 14, 2026
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py) High
CVE-2026-45338 was published for open-webui (pip) May 14, 2026
Sebasteuo Credited to Sebasteuo
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image High
CVE-2026-45314 was published for open-webui (pip) May 14, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
reindaelman reindaelman grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI has stored XSS via the HTML renedering view High
CVE-2026-45303 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file High
CVE-2026-45301 was published for open-webui (pip) May 14, 2026
vi11ain Credited to vi11ain
Open WebUI has inconsistent authorization controls within memories API High
CVE-2026-44570 was published for open-webui (pip) May 11, 2026
Open WebUI's Insecure Message Access Breaks Authorization High
CVE-2026-44569 was published for open-webui (pip) May 11, 2026
geckosecurity Credited to geckosecurity
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database