GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
31,754 advisories
Open WebUI: Forged chat-file link allows cross-user file read and deletion
High
CVE-2026-54010
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Moderate
CVE-2026-54009
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
High
CVE-2026-54008
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
High
CVE-2026-54007
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Moderate
CVE-2026-54006
was published
for
open-webui
(pip)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Base Migration URL
Moderate
CVE-2026-53930
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Stored Cross-Site Scripting via Secure Attachment
Moderate
CVE-2026-53929
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Refresh Tokens Persist Through Password Recovery
Moderate
CVE-2026-53928
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Moderate
CVE-2026-53927
was published
for
nocodb
(npm)
Jun 17, 2026
vLLM: OOM Denial of Service via Audio Decompression Bomb
Moderate
CVE-2026-54233
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Moderate
CVE-2026-54236
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Moderate
CVE-2026-53923
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
GHSA-8jr5-v98p-w75m
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Moderate
CVE-2026-54235
was published
for
vllm
(pip)
Jun 17, 2026
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Moderate
CVE-2026-54761
was published
for
github.com/traefik/traefik
(Go)
Jun 17, 2026
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory
Moderate
CVE-2026-53765
was published
for
chrome-devtools-mcp
(npm)
Jun 17, 2026
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints
Moderate
GHSA-664h-gpgq-h6xx
was published
for
n8n
(npm)
Jun 17, 2026
Pi Agent: Pi loads project-local extensions without approval
Moderate
CVE-2026-54325
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
High
CVE-2026-54328
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Laravel Framework: Temporary Signed URL Path Confusion
Moderate
GHSA-crmm-hgp2-wgrp
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Laravel Framework: CRLF injection in default email rule
High
GHSA-5vg9-5847-vvmq
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Low
CVE-2026-54326
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 16, 2026
Gitea: Token scope bypass on web archive download endpoint
Moderate
CVE-2026-20706
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API
