Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

126 advisories

Loading
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
Aviral2642 Credited to Aviral2642, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
yt-dlp: File Downloader cookie leak with curl Moderate
CVE-2026-50019 was published for yt-dlp (pip) Jun 16, 2026
seproDev Credited to seproDev, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges Moderate
CVE-2026-54276 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
Apache Airflow: Incomplete redaction allowlist exposes secrets in Connection `extra`  to read-permitted users Moderate
CVE-2026-45192 was published for apache-airflow (pip) Jun 1, 2026
beanduan22 Credited to beanduan22
Open WebUI Exposes System Prompt to Regular User [Non-Admin] Moderate
CVE-2026-45351 was published for open-webui (pip) May 14, 2026
shahzaibak96 Credited to shahzaibak96
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Moderate
CVE-2026-44557 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution Moderate
CVE-2026-40159 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS Moderate
CVE-2026-40151 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users Moderate
GHSA-9gjv-jvm7-vv2v was published for gramps-webapi (pip) Apr 9, 2026
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint Moderate
CVE-2026-29787 was published for mcp-memory-service (pip) Mar 5, 2026
yotampe-pluto Credited to yotampe-pluto
Gradio has an Open Redirect in its OAuth Flow Moderate
CVE-2026-28415 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations Moderate
CVE-2026-27457 was published for weblate (pip) Feb 26, 2026
nijel Credited to nijel
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 Credited to saivarun3407
Weblate wlc has insecure API key configuration Moderate
CVE-2026-22251 was published for wlc (pip) Jan 12, 2026
nijel Credited to nijel and Zee99y Zee99y Zee99y
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
Ansible Community General Collection is vulnerable to exposure of sensitive information Moderate
CVE-2025-14010 was published for ansible (pip) Dec 4, 2025
reanguiano Credited to reanguiano
BBOT's gitlab.py exposes globally configured "gitlab" API key Moderate
CVE-2025-10282 was published for bbot (pip) Oct 27, 2025
justinsteven Credited to justinsteven
ProTip! Advisories are also available from the GraphQL API