Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

109 advisories

Loading
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution High
CVE-2026-41523 was published for vllm (pip) Jun 16, 2026
pierreolivierbonin Credited to pierreolivierbonin and jperezdealgaba jperezdealgaba jperezdealgaba
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
Docling: Unsafe Playwright-based HTML Rendering High
CVE-2026-44016 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 High
CVE-2026-47398 was published for PraisonAI (pip) May 29, 2026
SnailSploit Credited to SnailSploit
compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI) High
CVE-2026-46439 was published for compliance-trestle (pip) May 28, 2026
l3tchupkt Credited to l3tchupkt
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
ModelScope is vulnerable to arbitrary code injection via a crafted module High
CVE-2025-51427 was published for modelscope (pip) May 19, 2026
Superduper: Remote code execution via unsafe eval in superduper query parsing High
CVE-2026-31225 was published for superduper-framework (pip) May 12, 2026
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism High
CVE-2026-31253 was published for flash_attn (pip) May 11, 2026
Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043) High
CVE-2026-44346 was published for bentoml (pip) May 11, 2026
SSJCorpSec Credited to SSJCorpSec
Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter High
CVE-2021-47935 was published for sentry (pip) May 10, 2026
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components High
CVE-2026-44513 was published for diffusers (pip) May 7, 2026
hlky Credited to hlky and Vancir Vancir Vancir
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components High
CVE-2026-44827 was published for diffusers (pip) May 7, 2026 withdrawn
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass) High
CVE-2026-44334 was published for praisonai (pip) May 6, 2026
everping Credited to everping
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath High
CVE-2026-44244 was published for GitPython (pip) May 6, 2026
daridor9 Credited to daridor9
pyp2spec is Vulnerable to Code Injection High
CVE-2026-42301 was published for pyp2spec (pip) May 4, 2026
gouldnicholas Credited to gouldnicholas
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Apache Airflow: RCE by race condition in example_xcom dag High
CVE-2025-54550 was published for apache-airflow (pip) Apr 16, 2026
PraisonAI Vulnerable to RCE via Automatic tools.py Import High
CVE-2026-40287 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading High
CVE-2026-40156 was published for praisonai (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure High
CVE-2026-40158 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Apr 1, 2026
zpbrent Credited to zpbrent, calebrob6, and adamjstewart calebrob6 calebrob6
adamjstewart adamjstewart
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database