Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,859 advisories

Loading
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) High
CVE-2026-42313 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
GitPython: Unsafe option check validates multi_options before shlex.split transformation High
CVE-2026-42284 was published for GitPython (pip) Apr 25, 2026
Texuguinho1234 Credited to Texuguinho1234
LiteLLM: Authenticated command execution via MCP stdio test endpoints High
CVE-2026-42271 was published for litellm (pip) Apr 25, 2026
GitPython has Command Injection via Git options bypass High
CVE-2026-42215 was published for GitPython (pip) Apr 25, 2026
WesR Credited to WesR
changedetection.io project has an XXE vulnerability High
CVE-2026-41895 was published for changedetection.io (pip) May 4, 2026
FORIMOC Credited to FORIMOC
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
CVE-2026-42203 was published for litellm (pip) Apr 24, 2026
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow) High
CVE-2026-42311 was published for pillow (pip) May 4, 2026
EthanKim88 Credited to EthanKim88
pyp2spec is Vulnerable to Code Injection High
CVE-2026-42301 was published for pyp2spec (pip) May 4, 2026
gouldnicholas Credited to gouldnicholas
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Denial of Service in pyasn1 via Unbounded Recursion High
CVE-2026-30922 was published for pyasn1 (pip) Mar 17, 2026
romanticpragmatism Credited to romanticpragmatism
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool Credited to wiredfool, radarhere, hugovk, and yardenporat353 radarhere radarhere
hugovk hugovk yardenporat353 yardenporat353
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` High
CVE-2026-42031 was published for ckan (pip) Apr 29, 2026
ddd Credited to ddd
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber High
CVE-2026-42352 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider High
CVE-2026-42351 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
InstructLab Includes Functionality from Untrusted Control Sphere High
CVE-2026-6859 was published for instructlab (pip) Apr 22, 2026
InstructLab vulnerable to Path Traversal High
CVE-2026-6855 was published for instructlab (pip) Apr 22, 2026
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files High
CVE-2026-41066 was published for lxml (pip) Apr 21, 2026
Brubbish Credited to Brubbish
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315) High
CVE-2026-41496 was published for praisonai (pip) Apr 17, 2026
BerSecHub Credited to BerSecHub
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
CVE-2026-41490 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
FITS GZIP decompression bomb in Pillow High
CVE-2026-40192 was published for pillow (pip) Apr 13, 2026
sammiee5311 Credited to sammiee5311
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard High
CVE-2026-33533 was published for Glances (pip) Mar 30, 2026
tanishqshah2 Credited to tanishqshah2
Glances Vulnerable to Command Injection via Dynamic Configuration Values High
CVE-2026-33641 was published for Glances (pip) Mar 30, 2026
mith36 Credited to mith36
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database