close
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,818
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,355
Swift
54
Unreviewed advisories
All unreviewed
5,000+

30,601 advisories

Loading
vm2 Has a Sandbox Breakout Using Async Generator Critical
CVE-2026-45411 was published for vm2 (npm) May 14, 2026
XmiliaH Credited to XmiliaH
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection High
CVE-2026-45370 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol Critical
CVE-2026-45369 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj High
CVE-2026-46509 was published for @ranfdev/deepobj (npm) May 14, 2026
0xBassia Credited to 0xBassia
@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol Moderate
CVE-2026-45366 was published for @utcp/http (npm) May 14, 2026
YLChen-007 Credited to YLChen-007
slack-go `SecretsVerifier` accepts empty signing secret without precondition Moderate
GHSA-gxhx-2686-5h9g was published for github.com/slack-go/slack (Go) May 14, 2026
SnailSploit Credited to SnailSploit
Marten has an injection vulnerability in its full-text search regConfig parameter Critical
CVE-2026-45288 was published for Marten (NuGet) May 14, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation Critical
GHSA-wf8q-wvv8-p8jf was published for @samanhappy/mcphub (npm) May 14, 2026
ibrahmsql Credited to ibrahmsql
Svelte: SSR XSS via Insecure Promise Serialization in hydratable Moderate
GHSA-f3cj-j4f6-wq85 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
electerm's encrypt method not safe enough Moderate
CVE-2026-45787 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm Local code through electerm's single-instance socket Critical
CVE-2026-45353 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files Critical
CVE-2026-45374 was published for deepseek-tui (Rust) May 14, 2026
47Cid Credited to 47Cid
DeepSeek TUI has SSRF‌ IPV6 bypass High
CVE-2026-45373 was published for deepseek-tui (Rust) May 14, 2026
JafarAkhondali Credited to JafarAkhondali
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval Critical
CVE-2026-45311 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool High
CVE-2026-45310 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State Moderate
CVE-2026-42573 was published for svelte (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and dummdidumm dummdidumm dummdidumm
Svelte: ReDoS in `<svelte:element>` Tag Validation Moderate
CVE-2026-42567 was published for svelte (npm) May 14, 2026
Meltedd Credited to Meltedd, dummdidumm, and elliott-with-the-longest-name-on-github dummdidumm dummdidumm
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts High
CVE-2026-45675 was published for open-webui (pip) May 14, 2026
sfwani Credited to sfwani and Classic298 Classic298 Classic298
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed High
CVE-2026-45672 was published for open-webui (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) Moderate
CVE-2026-45667 was published for open-webui (pip) May 14, 2026
densi97 Credited to densi97
Open WebUI has an Indirect Object Reference (IDOR) in user notes Moderate
CVE-2026-45666 was published for open-webui (pip) May 14, 2026
zeeshanyshaikh Credited to zeeshanyshaikh
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order High
CVE-2026-45665 was published for open-webui (npm) May 14, 2026
POV9en Credited to POV9en
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url High
GHSA-3wgj-c2hg-vm6q was published for open-webui (pip) May 14, 2026
matte1782 Credited to matte1782
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database