Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,180 advisories

Loading
Vantage6: 2FA can be circumvented with hacked email access Moderate
CVE-2024-27928 was published for vantage6 (pip) Jun 5, 2026
Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification Moderate
CVE-2026-47707 was published for strawberry-graphql (pip) Jun 4, 2026
gonas0919 Credited to gonas0919, bellini666, Ckk3, and patrick91 bellini666 bellini666
Ckk3 Ckk3 patrick91 patrick91
Strawberry GraphQL has a Circular Fragment Reference DOS Moderate
CVE-2026-47706 was published for strawberry-graphql (pip) Jun 4, 2026
gonas0919 Credited to gonas0919, Ckk3, bellini666, and patrick91 Ckk3 Ckk3
bellini666 bellini666 patrick91 patrick91
WebOb: Location header normalization during redirect leads to open redirect - again Moderate
CVE-2026-44889 was published for webob (pip) Jun 4, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks Moderate
CVE-2026-48710 was published for starlette (pip) Jun 4, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies Moderate
CVE-2026-47265 was published for aiohttp (pip) Jun 3, 2026
Dreamsorcerer Credited to Dreamsorcerer
Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands Moderate
CVE-2026-44022 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend Moderate
CVE-2026-44018 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
malla: Stored XSS via Meshtastic node names in multiple frontend pages Moderate
CVE-2026-43980 was published for malla (pip) Jun 3, 2026
tiagoabreu22 Credited to tiagoabreu22
AIOHTTP is Vulnerable to Deserialization of Untrusted Data Moderate
CVE-2026-34993 was published for aiohttp (pip) Jun 3, 2026
tsigouris007 Credited to tsigouris007 and YuvalElbar6 YuvalElbar6 YuvalElbar6
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id} Moderate
CVE-2026-47411 was published for praisonai-platform (pip) Jun 1, 2026
rattler has an entry-point path traversal in noarch:python install (arbitrary file write) Moderate
CVE-2026-47425 was published for py-rattler (pip) Jun 1, 2026
berkant-koc Credited to berkant-koc
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership Moderate
CVE-2026-47408 was published for praisonai-platform (pip) May 29, 2026
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context Moderate
CVE-2026-47395 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings Moderate
CVE-2026-47390 was published for PraisonAI (pip) May 29, 2026
beanduan22 Credited to beanduan22
BoxLite has a Timeout Bypass Vulnerability Moderate
CVE-2026-47213 was published for boxlite (pip) May 29, 2026
XlabAITeam Credited to XlabAITeam
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood Moderate
CVE-2026-47184 was published for zeroconf (pip) May 29, 2026
zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion Moderate
CVE-2026-47183 was published for zeroconf (pip) May 29, 2026
zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service Moderate
CVE-2026-47180 was published for zeroconf (pip) May 29, 2026
uv is vulnerable to arbitrary file write through entry point names Moderate
GHSA-4gg8-gxpx-9rph was published for uv (pip) May 29, 2026
zsol Credited to zsol and zanieb zanieb zanieb
tuf has platform-dependent delegation path matching Moderate
GHSA-qp9x-wp8f-qgjj was published for tuf (pip) May 28, 2026
kodareef5 Credited to kodareef5
Shamefile has an arbitrary file read via shamefile.yaml in shame next Moderate
CVE-2026-47144 was published for shamefile (npm) May 28, 2026
BKDDFS Credited to BKDDFS
local-deep-research has an SSRF bypass in `safe_get` Moderate
CVE-2026-46526 was published for local-deep-research (pip) May 28, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem Moderate
CVE-2026-46380 was published for compliance-trestle (pip) May 28, 2026
yantongggg Credited to yantongggg and l3tchupkt l3tchupkt l3tchupkt
compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal Moderate
CVE-2026-45774 was published for compliance-trestle (pip) May 28, 2026
AnistoMejin Credited to AnistoMejin and yantongggg yantongggg yantongggg
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database