GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,282 advisories
Filter by severity
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Moderate
CVE-2026-54911
was published
for
ujson
(pip)
Jun 19, 2026
WebOb: Location header normalization during redirect leads to open redirect - again
Moderate
CVE-2026-44889
was published
for
webob
(pip)
Jun 4, 2026
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
Moderate
CVE-2025-71339
was published
for
picklescan
(pip)
Dec 30, 2025
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
Moderate
CVE-2026-41479
was published
for
authlib
(pip)
Jun 8, 2026
PocketSphinx: Buffer overflows in language and acoustic model loading code
Moderate
CVE-2026-54559
was published
for
pocketsphinx
(pip)
Jul 17, 2026
PRoot-Distro has Path Traversal in proot-distro copy — Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
Moderate
GHSA-mfr4-mq8w-vmg6
was published
for
proot-distro
(pip)
Jul 17, 2026
plone.restapi: Stored XSS by spoofing mime type
Moderate
GHSA-8rqh-vxpr-x77p
was published
for
plone.restapi
(pip)
Jul 17, 2026
plone.app.textfield: Stored XSS by spoofing mime type
Moderate
CVE-2026-54503
was published
for
plone.app.textfield
(pip)
Jul 17, 2026
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read
Moderate
CVE-2026-55646
was published
for
vllm
(pip)
Jul 17, 2026
sanic-cors contains an improper regular expression in the try_match() function
Moderate
CVE-2026-37737
was published
for
sanic-cors
(pip)
Jun 5, 2026
vLLM: Processing differential in multi-channel audio downmixing enables hidden-input/moderation bypass for audio models
Moderate
CVE-2026-34760
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Moderate
CVE-2026-54235
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: OOM Denial of Service via Audio Decompression Bomb
Moderate
CVE-2026-54233
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
CVE-2026-12491
was published
for
vllm
(pip)
Jun 17, 2026
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
Moderate
CVE-2026-47155
was published
for
vllm
(pip)
Jun 10, 2026
vLLM Vulnerable to Remote DoS via Special-Token Placeholders
Moderate
CVE-2026-44222
was published
for
vllm
(pip)
May 5, 2026
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Moderate
CVE-2026-53923
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server
Moderate
CVE-2026-34756
was published
for
vllm
(pip)
Apr 3, 2026
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing
Moderate
CVE-2026-34755
was published
for
vllm
(pip)
Apr 3, 2026
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
Moderate
CVE-2026-34753
was published
for
vllm
(pip)
Apr 3, 2026
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
Moderate
CVE-2025-62426
was published
for
vllm
(pip)
Nov 20, 2025
vLLM Tool Schema allows DoS via Malformed pattern and type Fields
Moderate
CVE-2025-48944
was published
for
vllm
(pip)
May 28, 2025
vLLM: Quadratic Time Complexity in Input Token Processing leads to denial of service
Moderate
CVE-2025-46560
was published
for
vllm
(pip)
Apr 29, 2025
OpenStack Ironic: Crafted JSON String to Certain Endpoints on the API or JSON-RPC Service May Result in Service Crash
Moderate
CVE-2026-50589
was published
for
ironic
(pip)
Jun 5, 2026
ProTip!
Advisories are also available from the
GraphQL API