Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,778 advisories

Loading
ml-logger file handler allows reading arbitrary files Moderate
CVE-2025-10952 was published for ml-logger (pip) Sep 25, 2025
ml-logger has path traversal in the file argument Moderate
CVE-2025-10951 was published for ml-logger (pip) Sep 25, 2025
Llama Stack could potentially allow for remote code execution Moderate
CVE-2025-55178 was published for llama-stack (pip) Sep 24, 2025
pip's fallback tar extraction doesn't check symbolic links point to extraction directory Moderate
CVE-2025-8869 was published for pip (pip) Sep 24, 2025
cai0duque bentasker
swils23 ichard26 gcbirzan-plutoflume
Credited to cai0duque, bentasker, swils23, ichard26, and gcbirzan-plutoflume
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer Moderate
CVE-2025-6921 was published for transformers (pip) Sep 23, 2025
CodeChecker has a buffer overflow in the log command Moderate
CVE-2025-40843 was published for codechecker (pip) Sep 22, 2025
barnabasdomozi
Credited to barnabasdomozi
mcp-kubernetes-server has a Command Injection vulnerability Moderate
CVE-2025-59376 was published for mcp-kubernetes-server (pip) Sep 15, 2025
cai0duque
Credited to cai0duque
Hugging Face Transformers library has Regular Expression Denial of Service Moderate
CVE-2025-6051 was published for transformers (pip) Sep 14, 2025
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer Moderate
CVE-2025-6638 was published for transformers (pip) Sep 12, 2025
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods Moderate
CVE-2025-58065 was published for flask-appbuilder (pip) Sep 11, 2025
Infrahub: Deleted and expired API tokens can still authenticate Moderate
CVE-2025-59036 was published for infrahub-server (pip) Sep 10, 2025
fatih-acar
Credited to fatih-acar
Indico vulnerable to Cross-Site Scripting via LaTeX math code Moderate
CVE-2025-59035 was published for indico (pip) Sep 10, 2025
ThiefMaster
Credited to ThiefMaster
Indico may disclose unauthorized user details access via legacy API Moderate
CVE-2025-59034 was published for indico (pip) Sep 10, 2025
inkz
Credited to inkz
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor Moderate
CVE-2025-10164 was published for sglang (pip) Sep 9, 2025
m1ssya
Credited to m1ssya
copyparty: Sharing a single file does not fully restrict access to other files in source folder Moderate
CVE-2025-58753 was published for copyparty (pip) Sep 9, 2025
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments Moderate
CVE-2025-57816 was published for ethyca-fides (pip) Sep 8, 2025
daveqnet eastandwestwind
erosselli
Credited to daveqnet, eastandwestwind, and erosselli
xgrammar vulnerable to denial of service by huge enum grammar Moderate
CVE-2025-58446 was published for xgrammar (pip) Sep 5, 2025
xendo
Credited to xendo
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction Moderate
CVE-2025-58162 was published for mobsf (pip) Sep 2, 2025
noname1337h1
Credited to noname1337h1
Local Deep Research's API keys are stored in plain text Moderate
CVE-2025-57806 was published for local-deep-research (pip) Sep 2, 2025
i-d-lytvynenko
Credited to i-d-lytvynenko
Eventlet affected by HTTP request smuggling in unparsed trailers Moderate
CVE-2025-58068 was published for eventlet (pip) Aug 29, 2025
sebastianosrt
Credited to sebastianosrt
Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start Moderate
GHSA-q77w-mwjj-7mqx was published for picklescan (pip) Aug 26, 2025
FredericDT
Credited to FredericDT
Picklescan is missing detection when calling built-in python cProfile.run Moderate
GHSA-49gj-c84q-6qm9 was published for picklescan (pip) Aug 26, 2025
FredericDT
Credited to FredericDT
Picklescan is missing detection when calling built-in python cProfile.runctx Moderate
GHSA-9w88-8rmg-7g2p was published for picklescan (pip) Aug 26, 2025
FredericDT
Credited to FredericDT
Picklescan is missing detection when calling built-in python doctest.debug_script Moderate
GHSA-fqq6-7vqf-w3fg was published for picklescan (pip) Aug 26, 2025
FredericDT
Credited to FredericDT
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode Moderate
GHSA-3gf5-cxq9-w223 was published for picklescan (pip) Aug 26, 2025
FredericDT
Credited to FredericDT
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database