Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

191 advisories

Loading
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec Credited to odaysec
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox High
CVE-2026-32640 was published for simpleeval (pip) Mar 13, 2026
ByamB4 Credited to ByamB4 and danthedeckie danthedeckie danthedeckie
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Apache Airflow: RCE by race condition in example_xcom dag High
CVE-2025-54550 was published for apache-airflow (pip) Apr 16, 2026
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver High
CVE-2026-33154 was published for dynaconf (pip) Mar 18, 2026
redyank Credited to redyank
PraisonAI has critical RCE via `type: job` workflow YAML Critical
CVE-2026-40288 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI Vulnerable to RCE via Automatic tools.py Import High
CVE-2026-40287 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
FoundationAgents MetaGPT vulnerable to eval injection Moderate
CVE-2026-5971 was published for metagpt (pip) Apr 9, 2026
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading High
CVE-2026-40156 was published for praisonai (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure High
CVE-2026-40158 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
Kedro has Arbitrary Code Execution via Malicious Logging Configuration Critical
CVE-2026-35171 was published for kedro (pip) Apr 3, 2026
Wernerina Credited to Wernerina
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Apr 1, 2026
zpbrent Credited to zpbrent, calebrob6, and adamjstewart calebrob6 calebrob6
adamjstewart adamjstewart
Duplicate Advisory: TorchGeo Remote Code Execution Vulnerability High
GHSA-g5vp-j278-8pjh was published for torchgeo (pip) Nov 12, 2024 withdrawn
Langflow has Authenticated Code Execution in Agentic Assistant Validation Critical
CVE-2026-33873 was published for langflow (pip) Mar 26, 2026
kexinoh Credited to kexinoh and andifilhohub andifilhohub andifilhohub
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml High
CVE-2026-33744 was published for bentoml (pip) Mar 26, 2026
golang-not-rust Credited to golang-not-rust
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint Critical
CVE-2026-33017 was published for langflow (pip) Mar 17, 2026
Aviral2642 Credited to Aviral2642, andifilhohub, Jkavia, and srmish-jfrog andifilhohub andifilhohub
Jkavia Jkavia srmish-jfrog srmish-jfrog
Intake has a Command Injection via shell() Expansion in Parameter Defaults High
CVE-2026-33310 was published for intake (pip) Mar 19, 2026
redyank Credited to redyank
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py Critical
CVE-2026-33057 was published for mesop (pip) Mar 18, 2026
liyander Credited to liyander
MLflow has a command injection in mlflow/sagemaker/__init__.py High
CVE-2025-14287 was published for mlflow (pip) Mar 16, 2026
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text() High
CVE-2026-29039 was published for changedetection.io (pip) Mar 4, 2026
DhiyaneshGeek Credited to DhiyaneshGeek and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Langflow has Remote Code Execution in CSV Agent Critical
CVE-2026-27966 was published for langflow (pip) Feb 27, 2026
weblover12 Credited to weblover12, andifilhohub, and Adam-Aghili andifilhohub andifilhohub
Adam-Aghili Adam-Aghili
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database