Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,023
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,403
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31,760 advisories

Loading
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration Moderate
CVE-2026-54016 was published for open-webui (pip) Jun 17, 2026
Hwwg Credited to Hwwg and Classic298 Classic298 Classic298
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} Moderate
CVE-2026-54014 was published for open-webui (pip) Jun 17, 2026
AAtomical Credited to AAtomical and Classic298 Classic298 Classic298
Open WebUI: Stored XSS to Account Takeover via Model Profile Images High
CVE-2026-54013 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n and Classic298 Classic298 Classic298
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion High
CVE-2026-54012 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, and Classic298 5yu4n 5yu4n
Classic298 Classic298
Open WebUI: Stored XSS in Mermaid Markdown Preview High
CVE-2026-54011 was published for open-webui (pip) Jun 17, 2026
ixSly Credited to ixSly and Classic298 Classic298 Classic298
Open WebUI: Forged chat-file link allows cross-user file read and deletion High
CVE-2026-54010 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, Classic298, and oxsignal 5yu4n 5yu4n
Classic298 Classic298 oxsignal oxsignal
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field Moderate
CVE-2026-54009 was published for open-webui (pip) Jun 17, 2026
bl4ckr0ss3 Credited to bl4ckr0ss3 and Classic298 Classic298 Classic298
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401) High
CVE-2026-54008 was published for open-webui (pip) Jun 17, 2026
matte1782 Credited to matte1782 and Classic298 Classic298 Classic298
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit High
CVE-2026-54007 was published for open-webui (pip) Jun 17, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar Moderate
CVE-2026-54006 was published for open-webui (pip) Jun 17, 2026
nayakchinmohan Credited to nayakchinmohan and Classic298 Classic298 Classic298
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
NocoDB: Server-Side Request Forgery via Base Migration URL Moderate
CVE-2026-53930 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
NocoDB: Stored Cross-Site Scripting via Secure Attachment Moderate
CVE-2026-53929 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Refresh Tokens Persist Through Password Recovery Moderate
CVE-2026-53928 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL Moderate
CVE-2026-53927 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
vLLM: OOM Denial of Service via Audio Decompression Bomb Moderate
CVE-2026-54233 was published for vllm (pip) Jun 17, 2026
RTV-GIT Credited to RTV-GIT, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router Moderate
CVE-2026-54236 was published for vllm (pip) Jun 17, 2026
SnailSploit Credited to SnailSploit and jperezdealgaba jperezdealgaba jperezdealgaba
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving Moderate
CVE-2026-53923 was published for vllm (pip) Jun 17, 2026
Aviral2642 Credited to Aviral2642, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations Moderate
GHSA-8jr5-v98p-w75m was published for vllm (pip) Jun 17, 2026
kexinoh Credited to kexinoh, russellb, jperezdealgaba, and DarkLight1337 russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels Moderate
CVE-2026-54235 was published for vllm (pip) Jun 17, 2026
brodmart Credited to brodmart and jperezdealgaba jperezdealgaba jperezdealgaba
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Moderate
CVE-2026-54761 was published for github.com/traefik/traefik (Go) Jun 17, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel and Saku0512 Saku0512 Saku0512
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory Moderate
CVE-2026-53765 was published for chrome-devtools-mcp (npm) Jun 17, 2026
enable7997 Credited to enable7997
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate
GHSA-664h-gpgq-h6xx was published for n8n (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Pi Agent: Pi loads project-local extensions without approval Moderate
CVE-2026-54325 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
qerogram Credited to qerogram, urianpaul94, EQSTLab, kamalmarhubi, and useworld urianpaul94 urianpaul94
EQSTLab EQSTLab kamalmarhubi kamalmarhubi useworld useworld
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database