Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

59 advisories

Loading
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
pypdf: Missing stream length values ignore defined limits Moderate
GHSA-jm82-fx9c-mx94 was published for pypdf (pip) Jun 18, 2026
sondt99 Credited to sondt99 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated XMP metadata streams can exhaust RAM Moderate
CVE-2026-48735 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
aiohttp: Incomplete websocket frame payloads bypass memory limits Moderate
CVE-2026-54274 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit Moderate
CVE-2026-54273 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines Moderate
CVE-2026-54277 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
OpenEXR Out-Of-Memory via Unbounded File Header Values Moderate
CVE-2025-48074 was published for OpenEXR (pip) Jul 31, 2025
suidpit Credited to suidpit, ndaprela, TheZ3ro, and smaury ndaprela ndaprela
TheZ3ro TheZ3ro smaury smaury
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes Moderate
CVE-2026-45554 was published for nicegui (pip) May 18, 2026
bitinerant Credited to bitinerant, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
xgrammar Vulnerable to Denial of Service (DoS) by abusing unbounded cache in memory Moderate
CVE-2025-32381 was published for xgrammar (pip) Apr 9, 2025
russellb Credited to russellb, Ubospica, and DarkSharpness Ubospica Ubospica
DarkSharpness DarkSharpness
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions Moderate
CVE-2026-22773 was published for vllm (pip) Jan 13, 2026
oxcabe Credited to oxcabe, Isotr0py, and DarkLight1337 Isotr0py Isotr0py
DarkLight1337 DarkLight1337
vLLM denial of service via outlines unbounded cache on disk Moderate
CVE-2025-29770 was published for vllm (pip) Mar 19, 2025
russellb Credited to russellb
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood Moderate
CVE-2026-47184 was published for zeroconf (pip) May 29, 2026
ciguard: SCA HTTP client reads response body without size cap Moderate
CVE-2026-44219 was published for ciguard (pip) May 5, 2026
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS Moderate
CVE-2026-40115 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server Moderate
CVE-2026-34756 was published for vllm (pip) Apr 3, 2026
ez-lbz Credited to ez-lbz, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) Moderate
CVE-2026-34052 was published for jupyterhub-ltiauthenticator (pip) Apr 3, 2026
yueyueL Credited to yueyueL
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage Moderate
CVE-2026-22815 was published for aiohttp (pip) Apr 1, 2026
sg3-141-592 Credited to sg3-141-592 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion Moderate
CVE-2026-33332 was published for nicegui (pip) Mar 19, 2026
aest3ra Credited to aest3ra, oxqnd, mjkim610, evnchn, Khaliun-sw1, and falkoschindler oxqnd oxqnd
mjkim610 mjkim610 evnchn evnchn Khaliun-sw1 Khaliun-sw1 falkoschindler falkoschindler
pypdf: manipulated stream length values can exhaust RAM Moderate
CVE-2026-31826 was published for pypdf (pip) Mar 11, 2026
iconnnjka Credited to iconnnjka and stefan6419846 stefan6419846 stefan6419846
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service Moderate
CVE-2026-27695 was published for zae-limiter (pip) Feb 25, 2026
sodre Credited to sodre
pypdf possibly has long runtimes for malformed FlateDecode streams Moderate
CVE-2026-27026 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park Credited to CheonWoong-Park and stefan6419846 stefan6419846 stefan6419846
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls Credited to jacobtylerwalls
ProTip! Advisories are also available from the GraphQL API