Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

275 advisories

Loading
xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern Moderate
GHSA-vj8v-p5vw-m6v5 was published for xrootd (pip) Apr 10, 2026
Rydzz7 Credited to Rydzz7 and abh3 abh3 abh3
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble High
CVE-2026-40162 was published for bugsink (pip) Apr 10, 2026
DongyangLyu Credited to DongyangLyu
justhtml includes multiple security fixes Moderate
GHSA-c9vm-hv86-f23r was published for justhtml (pip) Apr 10, 2026
EmilStenstrom Credited to EmilStenstrom
LangChain has incomplete f-string validation in prompt templates Moderate
CVE-2026-40087 was published for langchain-core (pip) Apr 8, 2026
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution High
CVE-2026-31040 was published for stata-mcp (pip) Apr 8, 2026
AIOHTTP accepts duplicate Host headers Moderate
CVE-2026-34525 was published for aiohttp (pip) Apr 1, 2026
5yu4n Credited to 5yu4n, rodrigobnogueira, and bdraco rodrigobnogueira rodrigobnogueira
bdraco bdraco
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings. High
CVE-2026-34445 was published for onnx (pip) Apr 1, 2026
ZeroXJacks Credited to ZeroXJacks
openssl-encrypt silently skips schema validation when jsonschema library is not installed Moderate
GHSA-425g-fjhq-5h92 was published for openssl-encrypt (pip) Mar 31, 2026
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys Moderate
CVE-2026-33936 was published for ecdsa (pip) Mar 27, 2026
0xmrma Credited to 0xmrma
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion Moderate
CVE-2026-33332 was published for nicegui (pip) Mar 19, 2026
aest3ra Credited to aest3ra, oxqnd, mjkim610, evnchn, Khaliun-sw1, and falkoschindler oxqnd oxqnd
mjkim610 mjkim610 evnchn evnchn Khaliun-sw1 Khaliun-sw1 falkoschindler falkoschindler
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor High
CVE-2026-27953 was published for ormar (pip) Mar 19, 2026
Mistz1 Credited to Mistz1
datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache Low
CVE-2026-2970 was published for datapizza-ai-core (pip) Feb 23, 2026
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
vLLM introduced enhanced protection for CVE-2025-62164 High
GHSA-mcmc-2m55-j8jj was published for vllm (pip) Jan 8, 2026
Weblate is vulnerable to RCE through Git config file overwrite Critical
CVE-2025-68398 was published for Weblate (pip) Dec 18, 2025
secjson Credited to secjson and nijel nijel nijel
vLLM deserialization vulnerability leading to DoS and potential RCE High
CVE-2025-62164 was published for vllm (pip) Nov 20, 2025
omriaxion Credited to omriaxion, russellb, DarkLight1337, Isotr0py, ywang96, and davidatom russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py ywang96 ywang96 davidatom davidatom
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown Credited to calebbrown, woodruffw, and zanieb woodruffw woodruffw
zanieb zanieb
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments High
CVE-2025-61920 was published for authlib (pip) Oct 10, 2025
AL-Cybision Credited to AL-Cybision
vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server Moderate
CVE-2025-61620 was published for vllm (pip) Oct 7, 2025
key-moon Credited to key-moon, Ga-ryo, ota42y, Alnusjaponica, Isotr0py, and DarkLight1337 Ga-ryo Ga-ryo
ota42y ota42y Alnusjaponica Alnusjaponica Isotr0py Isotr0py DarkLight1337 DarkLight1337
Duplicate Advisory: motionEye vulnerable to RCE via unsanitized motion config parameter High
GHSA-26f6-wm47-7h7j was published for motioneye (pip) Oct 3, 2025 withdrawn
mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders Moderate
CVE-2025-59940 was published for mkdocs-include-markdown-plugin (pip) Sep 29, 2025
mondeja Credited to mondeja
ml-logger deserialization vulnerability Low
CVE-2025-10950 was published for ml-logger (pip) Sep 25, 2025
Llama Stack could potentially allow for remote code execution Moderate
CVE-2025-55178 was published for llama-stack (pip) Sep 24, 2025
Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch Critical
GHSA-j424-mc44-f4hj was published for picklescan (pip) Sep 17, 2025 withdrawn
Picklescan Bypass is Possible via File Extension Mismatch Critical
CVE-2025-10155 was published for picklescan (pip) Sep 10, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database