Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,758 advisories

Loading
Django has an SQL Injection issue Moderate
CVE-2026-1312 was published for Django (pip) Feb 3, 2026
sunnypatell
Credited to sunnypatell
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 tei-dunamu
Credited to saivarun3407 and tei-dunamu
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls
Credited to jacobtylerwalls
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability Moderate
CVE-2026-25905 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
MCP Run Python Deno Sandbox Misconfiguration Allows SSRF Attacks via Localhost Access Moderate
CVE-2026-25904 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns Moderate
CVE-2026-25479 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content Moderate
CVE-2026-25516 was published for nicegui (pip) Feb 5, 2026
falkoschindler evnchn
Credited to falkoschindler and evnchn
web2py has an Open Redirect Vulnerability Moderate
CVE-2026-25198 was published for web2py (pip) Feb 5, 2026
Wagtail has improper permission handling on admin preview endpoints Moderate
CVE-2026-25517 was published for wagtail (pip) Feb 3, 2026
thxtech gasman
RealOrangeOne laymonage
Credited to thxtech, gasman, RealOrangeOne, and laymonage
Khoj has an IDOR in Notion OAuth Flow that Enables Index Poisoning Moderate
CVE-2025-69207 was published for khoj (pip) Feb 2, 2026
Cillian-Collins
Credited to Cillian-Collins
llama-index-core vulnerable to Uncontrolled Resource Consumption Moderate
CVE-2025-6208 was published for llama-index-core (pip) Feb 2, 2026
picklescan vulnerable to arbitrary file create using logging.FileHandler Moderate
GHSA-m7j5-r2p5-c39r was published for picklescan (pip) Feb 2, 2026
ez-lbz
Credited to ez-lbz
Werkzeug safe_join() allows Windows special device names with compound extensions Moderate
CVE-2026-21860 was published for Werkzeug (pip) Jan 8, 2026
yueyueL MushroomWasp
Credited to yueyueL and MushroomWasp
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true Moderate
CVE-2026-23986 was published for copier (pip) Jan 21, 2026
cbrown1234 sisp
Credited to cbrown1234 and sisp
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false Moderate
CVE-2026-23968 was published for copier (pip) Jan 21, 2026
sisp cbrown1234
Credited to sisp and cbrown1234
OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication Moderate
CVE-2026-23892 was published for OctoPrint (pip) Jan 27, 2026
yueyueL
Credited to yueyueL
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL ericspod
Credited to yueyueL and ericspod
Unfurl's unbounded zlib decompression allows decompression bomb DoS Moderate
GHSA-h5qv-qjv4-pc5m was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team
Credited to mobasi-team
pypdf has possible Infinite Loop when processing outlines/bookmarks Moderate
CVE-2026-24688 was published for pypdf (pip) Jan 26, 2026
JoakimBulow stefan6419846
Credited to JoakimBulow and stefan6419846
Peppol-py is vulnerable to XXE attacks due to Saxon configuration Moderate
CVE-2025-66371 was published for peppol_py (pip) Nov 28, 2025
Gakido vulnerable to HTTP Header Injection (CRLF Injection) Moderate
CVE-2026-24489 was published for gakido (pip) Jan 26, 2026
omarkurt
Credited to omarkurt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database