Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,735 advisories

Loading
orjson does not limit recursion for deeply nested JSON documents Moderate
CVE-2025-67221 was published for orjson (pip) Jan 22, 2026
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true Moderate
CVE-2026-23986 was published for copier (pip) Jan 21, 2026
cbrown1234 sisp
Credited to cbrown1234 and sisp
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false Moderate
CVE-2026-23968 was published for copier (pip) Jan 21, 2026
sisp cbrown1234
Credited to sisp and cbrown1234
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization Moderate
CVE-2026-23946 was published for tendenci (pip) Jan 21, 2026
nedlir
Credited to nedlir
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component Moderate
CVE-2026-23833 was published for esphome (pip) Jan 21, 2026
Mat931
Credited to Mat931
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user Moderate
CVE-2026-23877 was published for swingmusic (pip) Jan 21, 2026
d-virtuosa
Credited to d-virtuosa
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
BlackSheep's ClientSession is vulnerable to CRLF injection Moderate
CVE-2026-22779 was published for blacksheep (pip) Jan 14, 2026
tr4ce-ju
Credited to tr4ce-ju
hermes's raw options logging may disclose secrets passed in via subcommand options argument Moderate
CVE-2026-22798 was published for hermes (pip) Jan 13, 2026
thunze sdruskat
zyzzyxdonta
Credited to thunze, sdruskat, and zyzzyxdonta
virtualenv Has TOCTOU Vulnerabilities in Directory Creation Moderate
CVE-2026-22702 was published for virtualenv (pip) Jan 13, 2026
tsigouris007
Credited to tsigouris007
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock Moderate
CVE-2026-22701 was published for filelock (pip) Jan 13, 2026
tsigouris007
Credited to tsigouris007
vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions Moderate
CVE-2026-22773 was published for vllm (pip) Jan 13, 2026
oxcabe Isotr0py
DarkLight1337
Credited to oxcabe, Isotr0py, and DarkLight1337
Weblate wlc has insecure API key configuration Moderate
CVE-2026-22251 was published for wlc (pip) Jan 12, 2026
nijel Zee99y
Credited to nijel and Zee99y
Authlib has 1-click Account Takeover vulnerability Moderate
CVE-2025-68158 was published for authlib (pip) Jan 8, 2026
davidbors-snyk
Credited to davidbors-snyk
NiceGUI has Redis connection leak via tab storage causes service degradation Moderate
CVE-2026-21874 was published for nicegui (pip) Jan 8, 2026
yudelevi evnchn
Credited to yudelevi and evnchn
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links Moderate
CVE-2026-21872 was published for nicegui (pip) Jan 8, 2026
evnchn xx-mikusan-xx
falkoschindler
Credited to evnchn, xx-mikusan-xx, and falkoschindler
NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace() Moderate
CVE-2026-21871 was published for nicegui (pip) Jan 8, 2026
xx-mikusan-xx evnchn
falkoschindler
Credited to xx-mikusan-xx, evnchn, and falkoschindler
Werkzeug safe_join() allows Windows special device names with compound extensions Moderate
CVE-2026-21860 was published for Werkzeug (pip) Jan 8, 2026
yueyueL MushroomWasp
Credited to yueyueL and MushroomWasp
records-mover Injection vulnerability Moderate
CVE-2023-7333 was published for records-mover (pip) Jan 8, 2026
Parsl Monitoring Visualization Vulnerable to SQL Injection Moderate
CVE-2026-21892 was published for parsl (pip) Jan 6, 2026
viralvaghela
Credited to viralvaghela
Bokeh server applications have Incomplete Origin Validation in WebSockets Moderate
CVE-2026-21883 was published for bokeh (pip) Jan 6, 2026
katzj
Credited to katzj
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL
Credited to yueyueL
AIOHTTP vulnerable to DoS through chunked messages Moderate
CVE-2025-69229 was published for aiohttp (pip) Jan 5, 2026
Finder16
Credited to Finder16
AIOHTTP vulnerable to denial of service through large payloads Moderate
CVE-2025-69228 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Finder16
Credited to ThomasRinsma and Finder16
AIOHTTP vulnerable to DoS when bypassing asserts Moderate
CVE-2025-69227 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database