Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

291 advisories

Loading
Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass Critical
CVE-2026-44180 was published for jupyter_enterprise_gateway (pip) Jun 3, 2026
ben-elttam Credited to ben-elttam, matt-elttam, and lresende matt-elttam matt-elttam
lresende lresende
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check Moderate
GHSA-74r7-3mjm-jc5v was published for edumfa (pip) May 18, 2026
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url High
GHSA-3wgj-c2hg-vm6q was published for open-webui (pip) May 14, 2026
matte1782 Credited to matte1782
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation Moderate
CVE-2026-45317 was published for open-webui (pip) May 14, 2026
bray-sec Credited to bray-sec and Classic298 Classic298 Classic298
Synapse pagination Denial of Service Moderate
CVE-2026-45076 was published for matrix-synapse (pip) May 14, 2026
oxidize-pdf: NaN/inf bypass in colour content-stream emission causes PDF rejection (DoS) Moderate
GHSA-88q9-cmp2-c2vq was published for OxidizePdf.NET (NuGet) May 11, 2026
bzsanti Credited to bzsanti
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries Moderate
CVE-2026-44337 was published for PraisonAI (pip) May 11, 2026
shmulc8 Credited to shmulc8
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath High
GHSA-mv93-w799-cj2w was published for GitPython (pip) May 8, 2026
aslein1413-sys Credited to aslein1413-sys
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense High
GHSA-52cq-7v8r-62c6 was published for gmaps-mcp (pip) May 8, 2026
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic High
CVE-2026-42544 was published for granian (pip) May 6, 2026
Z-Bra0 Credited to Z-Bra0
JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
pyp2spec is Vulnerable to Code Injection High
CVE-2026-42301 was published for pyp2spec (pip) May 4, 2026
gouldnicholas Credited to gouldnicholas
SGLang has an Improper Input Validation/Injection Issue Moderate
CVE-2026-7669 was published for sglang (pip) May 3, 2026
mem0ai mem0 has an Improper Input Validation Issue Low
CVE-2026-7597 was published for mem0ai (pip) May 2, 2026
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url Moderate
CVE-2026-41654 was published for weblate (pip) Apr 30, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern Moderate
GHSA-vj8v-p5vw-m6v5 was published for xrootd (pip) Apr 10, 2026
Rydzz7 Credited to Rydzz7 and abh3 abh3 abh3
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble High
CVE-2026-40162 was published for bugsink (pip) Apr 10, 2026
DongyangLyu Credited to DongyangLyu
justhtml includes multiple security fixes Moderate
GHSA-c9vm-hv86-f23r was published for justhtml (pip) Apr 10, 2026
EmilStenstrom Credited to EmilStenstrom
LangChain has incomplete f-string validation in prompt templates Moderate
CVE-2026-40087 was published for langchain-core (pip) Apr 8, 2026
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution High
CVE-2026-31040 was published for stata-mcp (pip) Apr 8, 2026
AIOHTTP accepts duplicate Host headers Moderate
CVE-2026-34525 was published for aiohttp (pip) Apr 1, 2026
5yu4n Credited to 5yu4n, rodrigobnogueira, and bdraco rodrigobnogueira rodrigobnogueira
bdraco bdraco
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings. High
CVE-2026-34445 was published for onnx (pip) Apr 1, 2026
ZeroXJacks Credited to ZeroXJacks
openssl-encrypt silently skips schema validation when jsonschema library is not installed Moderate
GHSA-425g-fjhq-5h92 was published for openssl-encrypt (pip) Mar 31, 2026
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys Moderate
CVE-2026-33936 was published for ecdsa (pip) Mar 27, 2026
0xmrma Credited to 0xmrma
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database