Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,144 advisories

Loading
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams Moderate
CVE-2026-48156 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for large offsets for layout mode text Moderate
CVE-2026-48155 was published for pypdf (pip) Jun 12, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset Moderate
CVE-2026-48053 was published for kolibri (pip) Jun 11, 2026
beraoudabdelkhalek Credited to beraoudabdelkhalek and rtibbles rtibbles rtibbles
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood Moderate
CVE-2026-48045 was published for zeroconf (pip) Jun 11, 2026
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header Moderate
CVE-2026-48061 was published for litestar (pip) Jun 10, 2026
gik2927 Credited to gik2927
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors Moderate
CVE-2026-47155 was published for vllm (pip) Jun 10, 2026
addcontent Credited to addcontent, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs Moderate
CVE-2026-47734 was published for dulwich (pip) Jun 8, 2026
jelmer Credited to jelmer
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type Moderate
CVE-2026-41479 was published for authlib (pip) Jun 8, 2026
rise0311 Credited to rise0311
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint Moderate
CVE-2026-39922 was published for geonode (pip) Jun 8, 2026
CodingRule Credited to CodingRule
Bugsink: DOS using large numbers of event tags Moderate
CVE-2026-53954 was published for bugsink (pip) Jun 5, 2026
seankohjs Credited to seankohjs
Bugsink: Project scoping missing in sourcemap and debug-file lookup Moderate
CVE-2026-47728 was published for bugsink (pip) Jun 5, 2026
ShuluZhuo Credited to ShuluZhuo
Improper Access Control in vantage6 node Moderate
GHSA-x9f6-9rvm-mmrg was published for vantage6 (pip) Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration Moderate
GHSA-fgmc-2hqj-86v4 was published for vantage6 (pip) Jun 5, 2026
Vantage6: 2FA can be circumvented with hacked email access Moderate
CVE-2024-27928 was published for vantage6 (pip) Jun 5, 2026
Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification Moderate
CVE-2026-47707 was published for strawberry-graphql (pip) Jun 4, 2026
gonas0919 Credited to gonas0919, bellini666, Ckk3, and patrick91 bellini666 bellini666
Ckk3 Ckk3 patrick91 patrick91
Strawberry GraphQL has a Circular Fragment Reference DOS Moderate
CVE-2026-47706 was published for strawberry-graphql (pip) Jun 4, 2026
gonas0919 Credited to gonas0919, Ckk3, bellini666, and patrick91 Ckk3 Ckk3
bellini666 bellini666 patrick91 patrick91
WebOb: Location header normalization during redirect leads to open redirect - again Moderate
CVE-2026-44889 was published for webob (pip) Jun 4, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks Moderate
CVE-2026-48710 was published for starlette (pip) Jun 4, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies Moderate
CVE-2026-47265 was published for aiohttp (pip) Jun 3, 2026
Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands Moderate
CVE-2026-44022 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend Moderate
CVE-2026-44018 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
malla: Stored XSS via Meshtastic node names in multiple frontend pages Moderate
CVE-2026-43980 was published for malla (pip) Jun 3, 2026
tiagoabreu22 Credited to tiagoabreu22
AIOHTTP is Vulnerable to Deserialization of Untrusted Data Moderate
CVE-2026-34993 was published for aiohttp (pip) Jun 3, 2026
tsigouris007 Credited to tsigouris007 and YuvalElbar6 YuvalElbar6 YuvalElbar6
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id} Moderate
CVE-2026-47411 was published for praisonai-platform (pip) Jun 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database