Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,079
NuGet
529
pip
2,897
Pub
5
RubyGems
444
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

1,196 advisories

Loading
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation Moderate
CVE-2026-40948 was published for apache-airflow-providers-keycloak (pip) Apr 18, 2026
Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false Moderate
CVE-2026-30912 was published for apache-airflow-core (pip) Apr 18, 2026
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding Moderate
CVE-2026-39378 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Moderate
CVE-2026-35588 was published for glances (pip) Apr 21, 2026
morimori-dev Credited to morimori-dev
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
GHSA-jm8c-9f3j-4378 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Moderate
GHSA-fv5p-p927-qmxr was published for langchain-text-splitters (pip) Apr 16, 2026
Aeg1sx Credited to Aeg1sx
Authlib: Cross-site request forging when using cache Moderate
GHSA-jj8c-mmj3-mmgv was published for authlib (pip) Apr 16, 2026
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM Moderate
GHSA-x284-j5p8-9c5p was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible long runtimes for wrong size values in incremental mode Moderate
GHSA-4pxv-j86v-mhcw was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM Moderate
GHSA-7gw9-cf7v-778f was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access Moderate
CVE-2026-25219 was published for apache-airflow (pip) Apr 15, 2026
Mako: Path traversal via double-slash URI prefix in TemplateLookup Moderate
GHSA-v92g-xgxw-vvmm was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
Weblate: SSRF via the webhook add-on using unprotected fetch_url() Moderate
CVE-2026-39845 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Moderate
CVE-2026-33440 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Improper access control for the translation memory in API Moderate
CVE-2026-33214 was published for weblate (pip) Apr 16, 2026
wger has Stored XSS via Unescaped License Attribution Fields Moderate
CVE-2026-40353 was published for wger (pip) Apr 16, 2026
0xkakash1 Credited to 0xkakash1
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database