Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

5,685 advisories

Loading
Open WebUI vulnerable to Stored XSS via iFrame in citations model High
CVE-2026-26192 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI allows limited stored XSS vila uploaded html file Moderate
CVE-2025-46571 was published for open-webui (pip) Jul 7, 2026
choket Credited to choket
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs) Moderate
CVE-2026-44512 was published for onnx (pip) Jul 7, 2026
MinicoAI Credited to MinicoAI
alanturing881 Credited to alanturing881
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint Moderate
CVE-2026-54724 was published for kiwitcms (pip) Jul 6, 2026
martindios Credited to martindios
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command High
CVE-2026-55426 was published for linuxfabrik-lib (pip) Jul 6, 2026
OoYo0uto Credited to OoYo0uto
Langroid: handle_message() executes user-supplied tool JSON without sender verification High
CVE-2026-54771 was published for langroid (pip) Jul 6, 2026
u-ktdi Credited to u-ktdi
YLChen-007 Credited to YLChen-007
Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases Low
CVE-2026-53759 was published for linuxfabrik-lib (pip) Jul 6, 2026
OoYo0uto Credited to OoYo0uto
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module` High
CVE-2026-55786 was published for flyto-core (pip) Jul 6, 2026
EQSTLab Credited to EQSTLab
tonghuaroot Credited to tonghuaroot
WeasyPrint has CSS Injection via Presentational Hints Moderate
CVE-2026-49452 was published for weasyprint (pip) Jul 6, 2026
AyushParkara Credited to AyushParkara
Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION) High
CVE-2022-46292 was published for openbabel (pip) Jul 6, 2026
Kiwi TCMS's /init-db/ page renders and responds to requests after first use Low
CVE-2026-49292 was published for kiwitcms (pip) Jul 2, 2026
keyur-mehta Credited to keyur-mehta
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection Critical
CVE-2026-52830 was published for fast-mcp-telegram (pip) Jul 2, 2026
DavidCarliez Credited to DavidCarliez
OoYo0uto Credited to OoYo0uto
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
chaitanyagarware Credited to chaitanyagarware
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete Critical
CVE-2026-50027 was published for mcp-memory-service (pip) Jul 2, 2026
EQSTLab Credited to EQSTLab
ProTip! Advisories are also available from the GraphQL API