Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

5,303 advisories

Loading
Tornado has out-of-bounds memory access via C extension Low
CVE-2026-49854 was published for tornado (pip) Jun 12, 2026
sondt99 Credited to sondt99
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams Moderate
CVE-2026-48156 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
WsgiDAV encoded dot segments can escape filesystem share roots High
CVE-2026-48099 was published for wsgidav (pip) Jun 11, 2026
0xHunSec Credited to 0xHunSec
Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset Moderate
CVE-2026-48053 was published for kolibri (pip) Jun 11, 2026
beraoudabdelkhalek Credited to beraoudabdelkhalek and rtibbles rtibbles rtibbles
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood Moderate
CVE-2026-48045 was published for zeroconf (pip) Jun 11, 2026
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token Critical
CVE-2026-48039 was published for meta-ads-mcp (pip) Jun 11, 2026
232-323 Credited to 232-323
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
PDM wheel installation leads to Path Traversal via overridden write_to_fs High
CVE-2026-47764 was published for pdm (pip) Jun 10, 2026
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header Moderate
CVE-2026-48061 was published for litestar (pip) Jun 10, 2026
gik2927 Credited to gik2927
Litestar has HTML Injection Through its CSRF Token High
CVE-2026-48060 was published for litestar (pip) Jun 10, 2026
Blinky-Keys Credited to Blinky-Keys
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors Moderate
CVE-2026-47155 was published for vllm (pip) Jun 10, 2026
addcontent Credited to addcontent, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs Moderate
CVE-2026-47734 was published for dulwich (pip) Jun 8, 2026
jelmer Credited to jelmer
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch` Low
CVE-2026-47712 was published for dulwich (pip) Jun 8, 2026
ctoth Credited to ctoth and jelmer jelmer jelmer
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type Moderate
CVE-2026-41479 was published for authlib (pip) Jun 8, 2026
rise0311 Credited to rise0311
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint Moderate
CVE-2026-39922 was published for geonode (pip) Jun 8, 2026
CodingRule Credited to CodingRule
Bugsink: DOS using large numbers of event tags Moderate
CVE-2026-53954 was published for bugsink (pip) Jun 5, 2026
seankohjs Credited to seankohjs
Bugsink: Project scoping missing in sourcemap and debug-file lookup Moderate
CVE-2026-47728 was published for bugsink (pip) Jun 5, 2026
ShuluZhuo Credited to ShuluZhuo
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known Low
CVE-2026-47716 was published for bugsink (pip) Jun 5, 2026
Susen2 Credited to Susen2
Bugsink: Issue event views can show an event from another project if its UUID is known Low
CVE-2026-47715 was published for bugsink (pip) Jun 5, 2026
nuiifornet Credited to nuiifornet
NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) Critical
CVE-2026-47731 was published for ait-core (pip) Jun 5, 2026
ehtec Credited to ehtec
Improper Access Control in vantage6 node Moderate
GHSA-x9f6-9rvm-mmrg was published for vantage6 (pip) Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration Moderate
GHSA-fgmc-2hqj-86v4 was published for vantage6 (pip) Jun 5, 2026
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR High
CVE-2026-47419 was published for praisonai-platform (pip) Jun 5, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database