Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,667 advisories

Loading
changedetection.io is Vulnerable to SSRF via Watch URLs High
CVE-2026-27696 was published for changedetection.io (pip) Feb 25, 2026
route2shell
Credited to route2shell
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function High
CVE-2026-25733 was published for rucio-webui (pip) Feb 25, 2026
d-woosley
Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley
Credited to d-woosley
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria
Credited to yash2998chhabria
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution High
CVE-2026-27483 was published for mindsdb (pip) Feb 24, 2026
XlabAITeam
Credited to XlabAITeam
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution High
CVE-2026-27156 was published for nicegui (pip) Feb 24, 2026
anuraagbaishya evnchn
falkoschindler
Credited to anuraagbaishya, evnchn, and falkoschindler
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table High
CVE-2024-56373 was published for apache-airflow (pip) Feb 24, 2026
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option High
CVE-2026-26331 was published for yt-dlp (pip) Feb 23, 2026
dxlerYT Grub4K
bashonly
Credited to dxlerYT, Grub4K, and bashonly
Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming High
CVE-2026-2473 was published for google-cloud-aiplatform (pip) Feb 20, 2026
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint High
CVE-2026-27194 was published for dtale (pip) Feb 19, 2026
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s
Credited to N3mes1s
OpenStack Nova calls qemu-img without format restrictions for resize High
CVE-2026-24708 was published for Nova (pip) Feb 18, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
GHSA-97f8-7cmv-76j2 was published for picklescan (pip) Feb 18, 2026
zpbrent
Credited to zpbrent
NVIDIA NeMo Framework Deserializes Untrusted Data High
CVE-2025-33253 was published for nemo-toolkit (pip) Feb 18, 2026
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
GHSA-gfmx-qqqh-f38q was published for keras (pip) Feb 12, 2026 withdrawn
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool radarhere
hugovk yardenporat353
Credited to wiredfool, radarhere, hugovk, and yardenporat353
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam tl2cents
keenanwgn A7um
Credited to XlabAITeam, tl2cents, keenanwgn, and A7um
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo
Credited to Ryu-GeonWoo
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
nirhaas
Credited to nirhaas
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL High
CVE-2026-25640 was published for pydantic-ai (pip) Feb 6, 2026
doredry urioren
amiteliahu
Credited to doredry, urioren, and amiteliahu
Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling High
CVE-2026-25580 was published for pydantic-ai (pip) Feb 6, 2026
YuvalElbar6 doredry
Credited to YuvalElbar6 and doredry
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database