Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
Open WebUI has unauthorized deletion of knowledge files Moderate
CVE-2026-29070 was published for open-webui (pip) Mar 27, 2026
ScaumAcktiv Credited to ScaumAcktiv
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` Moderate
CVE-2026-28786 was published for open-webui (pip) Mar 27, 2026
akshatgit Credited to akshatgit
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out High
CVE-2026-27893 was published for vllm (pip) Mar 27, 2026
Wernerina Credited to Wernerina and russellb russellb russellb
Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs High
CVE-2026-22742 was published for org.springframework.ai:spring-ai-bedrock-converse (Maven) Mar 27, 2026
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter High
CVE-2026-22743 was published for org.springframework.ai:spring-ai-neo4j-store (Maven) Mar 27, 2026
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters High
CVE-2026-22744 was published for org.springframework.ai:spring-ai-redis-store (Maven) Mar 27, 2026
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922) High
GHSA-wcjx-v2wj-xg87 was published for c2cciutils (pip) Mar 26, 2026
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter Low
GHSA-c7w3-x93f-qmm8 was published for nodemailer (npm) Mar 26, 2026
esquilichi Credited to esquilichi
Harbor: LDAP password and OIDC secret are not redacted in the audit log Moderate
GHSA-prh4-vhfh-24mj was published for github.com/goharbor/harbor (Go) Mar 26, 2026
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code High
CVE-2026-33943 was published for happy-dom (npm) Mar 26, 2026
tndud042713 Credited to tndud042713
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Loofah has improper detection of disallowed URIs via `allowed_uri?` Low
GHSA-2j22-pr5w-6gq8 was published for loofah (RubyGems) Mar 26, 2026
Ella Core Panics during NAS Authentication Response/Failure with missing IEs Moderate
CVE-2026-33907 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has a Denial of Service via SCTP connection cleanup deadlock Moderate
CVE-2026-33904 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core panics when processing a crafted NGAP LocationReport message Moderate
CVE-2026-33903 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
ImageMagick: META reader memory leak in the APP1JPEG input path Low
GHSA-9r56-3gjq-hqf7 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
unbengable12 Credited to unbengable12
ImageMagick has possible memory leak in ASHLAR coder when action fails Low
GHSA-6p22-q7w5-33pg was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
unbengable12 Credited to unbengable12
Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery Moderate
GHSA-hff2-gcpx-8f4p was published for apollo-router (Rust) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input High
CVE-2026-33891 was published for node-forge (npm) Mar 26, 2026
Kr0emer Credited to Kr0emer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database