Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

40 advisories

Loading
vLLM: OpenAI auth bypass Critical
CVE-2026-48746 was published for vllm (pip) Jun 16, 2026
x41j Credited to x41j, russellb, and DarkLight1337 russellb russellb
DarkLight1337 DarkLight1337
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks Moderate
CVE-2026-48710 was published for starlette (pip) Jun 4, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
AIOHTTP accepts duplicate Host headers Moderate
CVE-2026-34525 was published for aiohttp (pip) Apr 1, 2026
5yu4n Credited to 5yu4n, rodrigobnogueira, and bdraco rodrigobnogueira rodrigobnogueira
bdraco bdraco
Duplicate Advisory: Inconsistent Interpretation of HTTP Requests in Waitress High
GHSA-j7j6-7hfx-5522 was published for waitress (pip) May 24, 2022 withdrawn
xnuinside Credited to xnuinside
HTTP Request Smuggling: Content-Length Sent Twice in Waitress Critical
CVE-2019-16792 was published for waitress (pip) Dec 20, 2019
AIOHTTP has unicode match groups in regexes for ASCII protocol elements Low
CVE-2025-69225 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP's unicode processing of header values could cause parsing discrepancies Low
CVE-2025-69224 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma and Dreamsorcerer Dreamsorcerer Dreamsorcerer
twisted.web has disordered HTTP pipeline response Moderate
CVE-2024-41671 was published for twisted (pip) Jul 29, 2024
kenballus Credited to kenballus, twm, and adiroiban twm twm
adiroiban adiroiban
twisted.web has disordered HTTP pipeline response Moderate
CVE-2023-46137 was published for twisted (pip) Oct 25, 2023
mukeran Credited to mukeran
Eventlet affected by HTTP request smuggling in unparsed trailers Moderate
CVE-2025-58068 was published for eventlet (pip) Aug 29, 2025
sebastianosrt Credited to sebastianosrt
aiohttp allows request smuggling due to incorrect parsing of chunk extensions Moderate
CVE-2024-52304 was published for aiohttp (pip) Nov 18, 2024
JeppW Credited to JeppW and bdraco bdraco bdraco
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators Moderate
CVE-2024-23829 was published for aiohttp (pip) Jan 29, 2024
pajod Credited to pajod
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks Low
CVE-2023-47641 was published for aiohttp (pip) Nov 14, 2023
chinchila Credited to chinchila
AIOHTTP has problems in HTTP parser (the python one, not llhttp) Moderate
CVE-2023-47627 was published for aiohttp (pip) Nov 14, 2023
kenballus Credited to kenballus and Dreamsorcerer Dreamsorcerer Dreamsorcerer
Gunicorn HTTP Request/Response Smuggling vulnerability High
CVE-2024-6827 was published for gunicorn (pip) Mar 20, 2025
xzpjerry Credited to xzpjerry
Request smuggling leading to endpoint restriction bypass in Gunicorn High
CVE-2024-1135 was published for gunicorn (pip) Apr 16, 2024
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency Moderate
GHSA-63cx-g855-hvv4 was published for mitmproxy (pip) Aug 25, 2025
sebastianosrt Credited to sebastianosrt and mhils mhils mhils
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections Low
CVE-2025-53643 was published for aiohttp (pip) Jul 14, 2025
JeppW Credited to JeppW and Dreamsorcerer Dreamsorcerer Dreamsorcerer
h11 accepts some malformed Chunked-Encoding bodies Critical
CVE-2025-43859 was published for h11 (pip) Apr 24, 2025
JeppW Credited to JeppW
Waitress has request processing race condition in HTTP pipelining with invalid first request Critical
CVE-2024-49768 was published for waitress (pip) Oct 29, 2024
digitalresistor Credited to digitalresistor and mmerickel mmerickel mmerickel
Inconsistent Interpretation of HTTP Requests in twisted.web Critical
CVE-2022-24801 was published for twisted (pip) Apr 4, 2022
zeyu2001 Credited to zeyu2001, twm, and exarkun twm twm
exarkun exarkun
Improper Input Validation in Twisted Critical
CVE-2020-10108 was published for Twisted (pip) Mar 31, 2020
HTTP Request Smuggling in Twisted Critical
CVE-2020-10109 was published for Twisted (pip) Mar 31, 2020
HTTP Request Smuggling in waitress High
CVE-2022-24761 was published for waitress (pip) Mar 18, 2022
zeyu2001 Credited to zeyu2001
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database