Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,027 advisories

Loading
WsgiDAV encoded dot segments can escape filesystem share roots High
CVE-2026-48099 was published for wsgidav (pip) Jun 11, 2026
0xHunSec Credited to 0xHunSec
Dulwich Vulnerable to Command Injection via Merge Driver Path High
CVE-2026-42563 was published for dulwich (pip) May 28, 2026
hayageek Credited to hayageek
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows High
CVE-2026-42305 was published for dulwich (pip) May 28, 2026
ctoth Credited to ctoth and jelmer jelmer jelmer
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing High
CVE-2026-47781 was published for pdm (pip) Jun 11, 2026
xuemian168 Credited to xuemian168
PDM wheel installation leads to Path Traversal via overridden write_to_fs High
CVE-2026-47764 was published for pdm (pip) Jun 10, 2026
Litestar has HTML Injection Through its CSRF Token High
CVE-2026-48060 was published for litestar (pip) Jun 10, 2026
Blinky-Keys Credited to Blinky-Keys
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator High
CVE-2026-44716 was published for pipecat-ai (pip) May 15, 2026
AAtomical Credited to AAtomical
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser High
CVE-2026-46374 was published for sqlfluff (pip) May 19, 2026
SQLFluff: Recursive Stack Overflow in Parser High
CVE-2026-46373 was published for sqlfluff (pip) May 19, 2026
Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter High
CVE-2021-47935 was published for sentry (pip) May 10, 2026
SAP Cloud SDK for AI Python has OS Command Injection when Program Objects Execution is Enabled High
CVE-2023-25617 was published for sap-ai-sdk-base (pip) Mar 14, 2023
pywasm3 contains a Use-After-Free in ForEachModule High
CVE-2024-27530 was published for pywasm3 (pip) Nov 9, 2024
pywasm3 has an Invalid Memory Read, Leading to DoS and Potential Code Execution High
CVE-2024-27528 was published for pywasm3 (pip) Nov 9, 2024
Ray Dashboard is vulnerable to path traversal through its static file handling mechanism High
CVE-2026-32981 was published for ray (pip) Mar 17, 2026
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override High
CVE-2026-44541 was published for ethyca-fides (pip) May 14, 2026
daveqnet Credited to daveqnet
OpenStack Ironic Python Agent Includes Functionality from Untrusted Control Sphere High
CVE-2026-43003 was published for ironic-python-agent (pip) May 1, 2026
LiteLLM: Authenticated command execution via MCP stdio test endpoints High
CVE-2026-42271 was published for litellm (pip) Apr 25, 2026
Wagtail regular expression denial-of-service via search query parsing High
CVE-2024-39317 was published for wagtail (pip) Jul 11, 2024
RealOrangeOne Credited to RealOrangeOne
Remote Code Execution via traversal in TAL expressions High
CVE-2021-32674 was published for Zope (pip) Jun 8, 2021
Catastrophic backtracking in URL authority parser when passed URL containing many @ characters High
CVE-2021-33503 was published for urllib3 (pip) Jun 1, 2021
NariyoshiChida Credited to NariyoshiChida and ap-wtioit ap-wtioit ap-wtioit
Apache Spark UI can allow impersonation if ACLs enabled High
CVE-2022-33891 was published for org.apache.spark:spark-parent_2.12 (Maven) Jul 19, 2022
alowayed Credited to alowayed
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text() High
CVE-2026-45553 was published for nicegui (pip) May 18, 2026
dennyabrahamsinaga Credited to dennyabrahamsinaga, falkoschindler, h3ri0s, and evnchn falkoschindler falkoschindler
h3ri0s h3ri0s evnchn evnchn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database