Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,778 advisories

Loading
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 tei-dunamu
Credited to saivarun3407 and tei-dunamu
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability Moderate
CVE-2026-25905 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
MCP Run Python Deno Sandbox Misconfiguration Allows SSRF Attacks via Localhost Access Moderate
CVE-2026-25904 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content Moderate
CVE-2026-25516 was published for nicegui (pip) Feb 5, 2026
falkoschindler evnchn
Credited to falkoschindler and evnchn
web2py has an Open Redirect Vulnerability Moderate
CVE-2026-25198 was published for web2py (pip) Feb 5, 2026
Wagtail has improper permission handling on admin preview endpoints Moderate
CVE-2026-25517 was published for wagtail (pip) Feb 3, 2026
thxtech gasman
RealOrangeOne laymonage
Credited to thxtech, gasman, RealOrangeOne, and laymonage
Django has an SQL Injection issue Moderate
CVE-2026-1312 was published for Django (pip) Feb 3, 2026
sunnypatell
Credited to sunnypatell
picklescan vulnerable to arbitrary file create using logging.FileHandler Moderate
GHSA-m7j5-r2p5-c39r was published for picklescan (pip) Feb 2, 2026
ez-lbz
Credited to ez-lbz
Khoj has an IDOR in Notion OAuth Flow that Enables Index Poisoning Moderate
CVE-2025-69207 was published for khoj (pip) Feb 2, 2026
Cillian-Collins
Credited to Cillian-Collins
llama-index-core vulnerable to Uncontrolled Resource Consumption Moderate
CVE-2025-6208 was published for llama-index-core (pip) Feb 2, 2026
Unfurl's unbounded zlib decompression allows decompression bomb DoS Moderate
GHSA-h5qv-qjv4-pc5m was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team
Credited to mobasi-team
TaskWeaver has Protection Mechanism Failure and Server-Side Request Forgery (SSRF) Moderate
GHSA-gpx9-96j6-pp87 was published for agentos-taskweaver (pip) Jan 28, 2026
nnfrog
Credited to nnfrog
OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication Moderate
CVE-2026-23892 was published for OctoPrint (pip) Jan 27, 2026
yueyueL
Credited to yueyueL
askbot inexhaustive permissions check allows any user to modify a different user's profile picture Moderate
CVE-2026-1213 was published for askbot (pip) Jan 27, 2026
pypdf has possible Infinite Loop when processing outlines/bookmarks Moderate
CVE-2026-24688 was published for pypdf (pip) Jan 26, 2026
JoakimBulow stefan6419846
Credited to JoakimBulow and stefan6419846
Gakido vulnerable to HTTP Header Injection (CRLF Injection) Moderate
CVE-2026-24489 was published for gakido (pip) Jan 26, 2026
omarkurt
Credited to omarkurt
GI-DocGen vulnerable to Reflected XSS via unescaped query strings Moderate
CVE-2025-11687 was published for gi-docgen (pip) Jan 26, 2026
orjson does not limit recursion for deeply nested JSON documents Moderate
CVE-2025-67221 was published for orjson (pip) Jan 22, 2026
jrafkind-ai
Credited to jrafkind-ai
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true Moderate
CVE-2026-23986 was published for copier (pip) Jan 21, 2026
cbrown1234 sisp
Credited to cbrown1234 and sisp
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false Moderate
CVE-2026-23968 was published for copier (pip) Jan 21, 2026
sisp cbrown1234
Credited to sisp and cbrown1234
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization Moderate
CVE-2026-23946 was published for tendenci (pip) Jan 21, 2026
nedlir
Credited to nedlir
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component Moderate
CVE-2026-23833 was published for esphome (pip) Jan 21, 2026
Mat931
Credited to Mat931
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user Moderate
CVE-2026-23877 was published for swingmusic (pip) Jan 21, 2026
d-virtuosa
Credited to d-virtuosa
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database