GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
31,744 advisories
vLLM: OOM Denial of Service via Audio Decompression Bomb
Moderate
CVE-2026-54233
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Moderate
CVE-2026-54236
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Moderate
CVE-2026-53923
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
GHSA-8jr5-v98p-w75m
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Moderate
CVE-2026-54235
was published
for
vllm
(pip)
Jun 17, 2026
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Moderate
CVE-2026-54761
was published
for
github.com/traefik/traefik
(Go)
Jun 17, 2026
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory
Moderate
CVE-2026-53765
was published
for
chrome-devtools-mcp
(npm)
Jun 17, 2026
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints
Moderate
GHSA-664h-gpgq-h6xx
was published
for
n8n
(npm)
Jun 17, 2026
Pi Agent: Pi loads project-local extensions without approval
Moderate
CVE-2026-54325
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
High
CVE-2026-54328
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Laravel Framework: Temporary Signed URL Path Confusion
Moderate
GHSA-crmm-hgp2-wgrp
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Laravel Framework: CRLF injection in default email rule
High
GHSA-5vg9-5847-vvmq
was published
for
laravel/framework
(Composer)
Jun 17, 2026
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Low
CVE-2026-54326
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 16, 2026
Gitea: Token scope bypass on web archive download endpoint
Moderate
CVE-2026-20706
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Missing repository-unit authorization on issue-template API endpoints
Moderate
CVE-2026-27783
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Moderate
CVE-2026-25714
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
High
CVE-2026-26231
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
High
CVE-2026-28699
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Critical
CVE-2026-49980
was published
for
github.com/rclone/rclone
(Go)
Jun 16, 2026
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Moderate
CVE-2026-49993
was published
for
@nuxt/rspack-builder
(npm)
Jun 16, 2026
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Low
GHSA-m3q2-p4fw-w38m
was published
for
nuxt
(npm)
Jun 16, 2026
LiteLLM: Authentication Bypass via Host Header Injection
Critical
CVE-2026-49468
was published
for
litellm
(pip)
Jun 16, 2026
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
High
CVE-2026-28744
was published
for
code.gitea.io/gitea
(Go)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API
