Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,706
Maven
5,000+
npm
5,000+
NuGet
934
pip
4,936
Pub
13
RubyGems
1,053
Rust
1,332
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28 advisories

Loading
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions Moderate
CVE-2026-40071 was published for pyload-ng (pip) Apr 8, 2026
komi22 Credited to komi22
Open WebUI has Broken Access Control in Tool Valves High
CVE-2026-34222 was published for open-webui (pip) Apr 1, 2026
timoles Credited to timoles and sec-consult sec-consult sec-consult
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking High
CVE-2026-32716 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
Frigte has broken access control viewer user can delete admin and other users account High
CVE-2026-33125 was published for frigate (pip) Mar 18, 2026
czerlun Credited to czerlun
Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field High
CVE-2026-22033 was published for label-studio (pip) Jan 12, 2026
david3107 Credited to david3107
FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO Moderate
CVE-2025-68481 was published for fastapi-users (pip) Dec 19, 2025
davidbors-snyk Credited to davidbors-snyk
FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation Moderate
CVE-2025-14546 was published for fastapi-sso (pip) Dec 19, 2025
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) Moderate
CVE-2025-67715 was published for Weblate (pip) Dec 15, 2025
naxus-audit Credited to naxus-audit and nijel nijel nijel
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access Moderate
CVE-2025-55675 was published for apache-superset (pip) Aug 14, 2025
Salt vulnerable to arbitrary event injection High
CVE-2025-22239 was published for salt (pip) Jun 13, 2025
Apache Superset Allows Ownership Takeover Moderate
CVE-2025-27696 was published for apache-superset (pip) May 13, 2025
LiteLLM Has an Improper Authorization Vulnerability High
CVE-2025-0628 was published for litellm (pip) Mar 20, 2025
Gradio Blocked Path ACL Bypass Vulnerability Critical
CVE-2025-23042 was published for gradio (pip) Jan 14, 2025
superboy-zjc Credited to superboy-zjc and jackfromeast jackfromeast jackfromeast
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access High
CVE-2024-55633 was published for apache-superset (pip) Dec 12, 2024
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled High
CVE-2024-53949 was published for apache-superset (pip) Dec 9, 2024
Gradio's CORS origin validation accepts the null origin Moderate
CVE-2024-47165 was published for gradio (pip) Oct 10, 2024
ahpaleus Credited to ahpaleus and Vasco-jofra Vasco-jofra Vasco-jofra
Gradios's CORS origin validation is not performed when the request has a cookie High
CVE-2024-47084 was published for gradio (pip) Oct 10, 2024
ahpaleus Credited to ahpaleus and Vasco-jofra Vasco-jofra Vasco-jofra
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace High
CVE-2024-29033 was published for oauthenticator (pip) Mar 20, 2024
manics Credited to manics, consideRatio, and betatim consideRatio consideRatio
betatim betatim
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes Moderate
CVE-2023-47037 was published for apache-airflow (pip) Nov 12, 2023
r3kumar Credited to r3kumar and sunSUNQ sunSUNQ sunSUNQ
matrix-synapse vulnerable to improper validation of receipts allows forged read receipts Moderate
CVE-2023-42453 was published for matrix-synapse (pip) Sep 26, 2023
Improper authorization on debug and artifact file downloads High
CVE-2023-36826 was published for sentry (pip) Jul 25, 2023
Swatinem Credited to Swatinem
Improper Authorization in modoboa Critical
CVE-2023-2227 was published for modoboa (pip) Apr 21, 2023
Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API High
CVE-2022-41672 was published for apache-airflow (pip) Oct 7, 2022
sunSUNQ Credited to sunSUNQ
Improper Authorization in cobbler Moderate
CVE-2022-0860 was published for cobbler (pip) Mar 11, 2022
ysf Credited to ysf
Improper Authorization and Origin Validation Error in OneFuzz Critical
CVE-2021-37705 was published for onefuzz (pip) Aug 13, 2021
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database