Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

455 advisories

Loading
Tornado has out-of-bounds memory access via C extension Low
CVE-2026-49854 was published for tornado (pip) Jun 12, 2026
sondt99 Credited to sondt99
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch` Low
CVE-2026-47712 was published for dulwich (pip) Jun 8, 2026
ctoth Credited to ctoth and jelmer jelmer jelmer
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known Low
CVE-2026-47716 was published for bugsink (pip) Jun 5, 2026
Susen2 Credited to Susen2
Bugsink: Issue event views can show an event from another project if its UUID is known Low
CVE-2026-47715 was published for bugsink (pip) Jun 5, 2026
nuiifornet Credited to nuiifornet
Vantage6: No limit on emails sent for password/MFA reset Low
CVE-2024-24769 was published for vantage6 (pip) Jun 5, 2026
kas's late signature validation may allow unnoticed repository manipulations Low
CVE-2026-47192 was published for kas (pip) Jun 4, 2026
fmoessbauer Credited to fmoessbauer
kas checks out SHA-like git branches as valid commits Low
CVE-2026-47191 was published for kas (pip) Jun 1, 2026
adityasaky Credited to adityasaky
Crawlee for Python: SSRF via sitemap-derived URLs Low
CVE-2026-46497 was published for crawlee (pip) May 21, 2026
FORIMOC Credited to FORIMOC and Arturo0x90 Arturo0x90 Arturo0x90
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs Low
CVE-2026-45739 was published for strawberry-graphql (pip) May 19, 2026
lpschroer Credited to lpschroer, bellini666, and patrick91 bellini666 bellini666
patrick91 patrick91
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py Low
CVE-2026-8754 was published for AstrBot (pip) May 17, 2026
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) Low
CVE-2026-45316 was published for open-webui (pip) May 14, 2026
qi-scape Credited to qi-scape and Classic298 Classic298 Classic298
dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction Low
CVE-2026-44970 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled Low
CVE-2026-44969 was published for dbt-mcp (pip) May 14, 2026
hewei-gikaku Credited to hewei-gikaku
OSGeo gdal has a heap-based buffer overflow Low
CVE-2026-8212 was published for GDAL (pip) May 10, 2026
justhtml introduces denial-of-service hardening Low
GHSA-r8cj-3554-33mr was published for justhtml (pip) May 8, 2026
EmilStenstrom Credited to EmilStenstrom
OSGeo GDAL vulnerable to out-of-bounds read Low
CVE-2026-8088 was published for GDAL (pip) May 7, 2026
OSGeo GDAL vulnerable to heap-based buffer overflow Low
CVE-2026-8087 was published for GDAL (pip) May 7, 2026
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) Low
GHSA-7mw3-79jq-xc7f was published for aiograpi (pip) May 6, 2026
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
Paramiko rsakey.py allows the SHA-1 algorithm Low
CVE-2026-44405 was published for paramiko (pip) May 6, 2026
ciguard: Web UI is missing HTTP defence-in-depth headers Low
GHSA-7ww3-xvf5-cxwm was published for ciguard (pip) May 5, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
ciguard: Container image runs as root (no USER directive) Low
CVE-2026-44218 was published for ciguard (pip) May 5, 2026
Microdot has HTTP response splitting in Response.set_cookie() Low
CVE-2026-42874 was published for microdot (pip) May 5, 2026
luantq0 Credited to luantq0
Langchain-Chatchat Uses Insufficiently Random Values Low
CVE-2026-7847 was published for langchain-chatchat (pip) May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database