GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
31,777 advisories
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
Moderate
CVE-2026-55636
was published
for
github.com/projectcapsule/capsule
(Go)
Jun 17, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
Multer vulnerable to Denial of Service via deeply nested field names
High
CVE-2026-5079
was published
for
multer
(npm)
Jun 17, 2026
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Moderate
CVE-2026-5038
was published
for
multer
(npm)
Jun 17, 2026
Gitea: Open Redirect via redirect_to
Moderate
CVE-2026-25779
was published
for
github.com/go-gitea/gitea
(Go)
Jun 17, 2026
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
High
CVE-2026-28737
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
High
CVE-2026-24791
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
High
CVE-2026-22555
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Moderate
CVE-2026-54324
was published
for
github.com/daytonaio/daytona
(Go)
Jun 17, 2026
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Moderate
CVE-2026-54022
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
Moderate
CVE-2026-54021
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
Moderate
CVE-2026-54019
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
High
CVE-2026-54018
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
High
CVE-2026-54017
was published
for
open-webui
(pip)
Jun 17, 2026
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
High
CVE-2026-53840
was published
for
openclaw
(npm)
Jun 17, 2026
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
Moderate
CVE-2026-54016
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
Moderate
CVE-2026-54015
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
Moderate
CVE-2026-54014
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
High
CVE-2026-54013
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
High
CVE-2026-54012
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Stored XSS in Mermaid Markdown Preview
High
CVE-2026-54011
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Forged chat-file link allows cross-user file read and deletion
High
CVE-2026-54010
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Moderate
CVE-2026-54009
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
High
CVE-2026-54008
was published
for
open-webui
(pip)
Jun 17, 2026
ProTip!
Advisories are also available from the
GraphQL API
