Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,828 advisories

Loading
wlc: print_html outputs API data without HTML escaping Moderate
GHSA-gx2m-mcc2-r4p3 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache Moderate
CVE-2026-6550 was published for aws-encryption-sdk (pip) Apr 24, 2026
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files High
CVE-2026-41066 was published for lxml (pip) Apr 21, 2026
Brubbish Credited to Brubbish
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding Moderate
CVE-2026-39378 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Moderate
CVE-2026-35588 was published for glances (pip) Apr 21, 2026
morimori-dev Credited to morimori-dev
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading High
CVE-2026-33626 was published for lmdeploy (pip) Apr 21, 2026
stepanskyigor-orca Credited to stepanskyigor-orca
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files Moderate
CVE-2026-3219 was published for pip (pip) Apr 20, 2026
Apache Doris MCP Server vulnerable to SQL Injection via improper query context neutralization Moderate
CVE-2025-66335 was published for doris-mcp-server (pip) Apr 20, 2026
FastChat has Denial of Service Through Blocking Event Loop in Model Workers (Incomplete Fix for ff66426) Moderate
CVE-2026-6607 was published for fschat (pip) Apr 20, 2026
FastChat has a Content Moderation Bypass via Arena Side-by-Side Views Moderate
CVE-2026-6608 was published for fschat (pip) Apr 20, 2026
Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint Low
CVE-2026-6598 was published for langflow (pip) Apr 20, 2026
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API Moderate
CVE-2026-6596 was published for langflow-base (pip) Apr 20, 2026
Langflow has an Information Leak through Incomplete API Key Redaction Low
CVE-2026-6597 was published for langflow (pip) Apr 20, 2026
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module Low
CVE-2026-6587 was published for ragas (pip) Apr 20, 2026
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation Moderate
CVE-2026-40948 was published for apache-airflow-providers-keycloak (pip) Apr 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database