Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

89 advisories

Loading
The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded. High
CVE-2025-9905 was published for keras (pip) Sep 19, 2025
io-no Credited to io-no
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass Critical
CVE-2026-47210 was published for vm2 (npm) May 29, 2026
RealHurrison Credited to RealHurrison
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE Critical
CVE-2026-47137 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 is Vulnerable to Sandbox Breakout Through Promise Species Critical
CVE-2026-47208 was published for vm2 (npm) May 29, 2026
XmiliaH Credited to XmiliaH
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's... Critical Unreviewed
CVE-2026-48700 was published May 26, 2026
LiteLLM has a sandbox escape in custom-code guardrail High
CVE-2026-40217 was published for litellm (pip) May 11, 2026
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
NoNoNGU Credited to NoNoNGU
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the... Moderate Unreviewed
CVE-2026-5248 was published Apr 1, 2026
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the... Moderate Unreviewed
CVE-2026-5251 was published Apr 1, 2026
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names Critical
CVE-2026-33286 was published for graphiti (RubyGems) Mar 20, 2026
doublevoid Credited to doublevoid and simonrand simonrand simonrand
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik Credited to fatihhcelik and yuvalo1212 yuvalo1212 yuvalo1212
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator High
CVE-2025-69219 was published for apache-airflow-providers-http (pip) Mar 9, 2026
Budibase Improper Control of Dynamically-Managed Code Resources vulnerability Moderate
CVE-2022-3225 was published for @budibase/bbui (npm) Sep 17, 2022
n8n Has Expression Escape Vulnerability Leading to RCE Critical
CVE-2026-25049 was published for n8n (npm) Feb 4, 2026
fatihhcelik Credited to fatihhcelik, eilonc-pillar, cristianstaicu, sandeepl337, nickcopi, joshft, yadhukrishnam, doyler, zolbooo, and nnfrog eilonc-pillar eilonc-pillar
cristianstaicu cristianstaicu sandeepl337 sandeepl337 nickcopi nickcopi joshft joshft yadhukrishnam yadhukrishnam doyler doyler zolbooo zolbooo nnfrog nnfrog
Crafter CMS has Improper Control of Dynamically-Managed Code Resources Moderate
CVE-2026-1770 was published for org.craftercms:craftercms (Maven) Feb 2, 2026
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor Critical
CVE-2026-23830 was published for @nyariv/sandboxjs (npm) Jan 27, 2026
nyxsorcerer Credited to nyxsorcerer
vm2 has a Sandbox Escape Critical
CVE-2026-22709 was published for vm2 (npm) Jan 26, 2026
Picklescan does not block ctypes High
GHSA-4675-36f9-wf6r was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
A vulnerability was determined in SamuNatsu HaloBot up to... Moderate Unreviewed
CVE-2025-14695 was published Dec 15, 2025
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to... High Unreviewed
CVE-2025-13659 was published Dec 9, 2025
A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api... High Unreviewed
CVE-2025-13426 was published Dec 6, 2025
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown... Moderate Unreviewed
CVE-2025-14085 was published Dec 5, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database