Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

677 advisories

Loading
ChromaDB Python project has a pre-authentication code injection vulnerability Critical
CVE-2026-45829 was published for chromadb (pip) May 18, 2026
Malicious dropper in mistralai 2.4.6 PyPI package Critical
GHSA-wx9m-wx4f-4cmg was published for mistralai (pip) May 18, 2026
nullcharb Credited to nullcharb
SGLang: Unauthenticated RCE via --enable-custom-logit-processor Critical
CVE-2026-7304 was published for sglang (pip) May 18, 2026
SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket Critical
CVE-2026-7301 was published for sglang (pip) May 18, 2026
SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability Critical
CVE-2026-7302 was published for sglang (pip) May 18, 2026
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol Critical
CVE-2026-45369 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub Critical
CVE-2026-31239 was published for mamba-ssm (pip) May 12, 2026
imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module Critical
CVE-2026-31235 was published for imgaug (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization in its model serving component Critical
CVE-2026-31238 was published for ludwig (pip) May 12, 2026
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument Critical
CVE-2026-31236 was published for llm (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization through its predict() method. Critical
CVE-2026-31237 was published for ludwig (pip) May 12, 2026
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component Critical
CVE-2026-31234 was published for horovod (pip) May 12, 2026
Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism Critical
CVE-2026-31233 was published for guardrails-ai (pip) May 12, 2026
PySyft server-side arbitrary Python execution after code approval Critical
CVE-2026-31220 was published for syft (pip) May 12, 2026
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules Critical
CVE-2026-7813 was published for pgadmin4 (pip) May 11, 2026
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Open WebUI has an LDAP Empty Password Authentication Bypass Critical
CVE-2026-44551 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
dash-uploader has a directory traversal vulnerability Critical
CVE-2026-38360 was published for dash-uploader (pip) May 8, 2026
a1ohadance Credited to a1ohadance
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API Critical
CVE-2026-29090 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API Critical
CVE-2026-29080 was published for rucio (pip) May 6, 2026
Mistz1 Credited to Mistz1
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
Langflow Knowledge Bases API is Vulnerable to Path Traversal Critical
CVE-2026-42048 was published for langflow (pip) May 5, 2026
ddlxstudio Credited to ddlxstudio, nekros1xx, AntonioABLima, Cristhianzl, and andifilhohub nekros1xx nekros1xx
AntonioABLima AntonioABLima Cristhianzl Cristhianzl andifilhohub andifilhohub
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database