Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

60 advisories

Loading
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA) High
GHSA-x26h-xmv8-gxf7 was published for stigmem-node (pip) Jun 19, 2026
yzeirnials Credited to yzeirnials, andifilhohub, LeftenantZero, Zwique, AntonioABLima, erichare, and Adam-Aghili andifilhohub andifilhohub
LeftenantZero LeftenantZero Zwique Zwique AntonioABLima AntonioABLima erichare erichare Adam-Aghili Adam-Aghili
praisonai-platform: Authorization Bypass Through User-Controlled Key Moderate
GHSA-2fjj-qqg8-fg7x was published for praisonai-platform (pip) Jun 18, 2026
sai-sh Credited to sai-sh
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion Moderate
CVE-2026-54015 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, Classic298, and 5yu4n Classic298 Classic298
5yu4n 5yu4n
Open WebUI: Forged chat-file link allows cross-user file read and deletion High
CVE-2026-54010 was published for open-webui (pip) Jun 17, 2026
0xEr3n Credited to 0xEr3n, 5yu4n, Classic298, and oxsignal 5yu4n 5yu4n
Classic298 Classic298 oxsignal oxsignal
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field Moderate
CVE-2026-54009 was published for open-webui (pip) Jun 17, 2026
bl4ckr0ss3 Credited to bl4ckr0ss3 and Classic298 Classic298 Classic298
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar Moderate
CVE-2026-54006 was published for open-webui (pip) Jun 17, 2026
nayakchinmohan Credited to nayakchinmohan and Classic298 Classic298 Classic298
Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints High
CVE-2026-33760 was published for langflow (pip) Jun 16, 2026
akshatgit Credited to akshatgit, AntonioABLima, andifilhohub, ethansilvas, yzeirnials, and Jkavia AntonioABLima AntonioABLima
andifilhohub andifilhohub ethansilvas ethansilvas yzeirnials yzeirnials Jkavia Jkavia
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known Low
CVE-2026-47716 was published for bugsink (pip) Jun 5, 2026
Susen2 Credited to Susen2
Bugsink: Issue event views can show an event from another project if its UUID is known Low
CVE-2026-47715 was published for bugsink (pip) Jun 5, 2026
nuiifornet Credited to nuiifornet
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
offset Credited to offset
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID High
CVE-2026-47399 was published for praisonai-platform (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation Critical
CVE-2026-47407 was published for praisonai-platform (pip) May 29, 2026
spbavarva Credited to spbavarva
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership Moderate
CVE-2026-47408 was published for praisonai-platform (pip) May 29, 2026
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API High
CVE-2026-48169 was published for praisonai-platform (pip) May 29, 2026
joshuaalwin Credited to joshuaalwin
OpenStack Keystone has an Authorization Bypass Moderate
CVE-2026-42999 was published for keystone (pip) May 28, 2026
pretix vulnerable to Authorization Bypass Through User-Controlled Key Low
CVE-2026-9712 was published for pretix (pip) May 27, 2026
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion High
CVE-2026-45671 was published for open-webui (pip) May 14, 2026
Inar1Dev Credited to Inar1Dev
ProTip! Advisories are also available from the GraphQL API