GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
5,531 advisories
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
High
CVE-2026-49291
was published
for
mcp-memory-service
(pip)
Jun 26, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers
Moderate
GHSA-75mw-h36v-2jv7
was published
for
dosage
(pip)
Jun 26, 2026
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
Moderate
CVE-2026-48990
was published
for
joserfc
(pip)
Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service
High
CVE-2026-48804
was published
for
python-socketio
(pip)
Jun 26, 2026
python-engineio has unbound thread allocation that can cause denial of service
High
CVE-2026-48802
was published
for
python-engineio
(pip)
Jun 26, 2026
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
Critical
GHSA-98x5-vq43-vc5p
was published
for
semantic-router
(pip)
Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels
Moderate
GHSA-72w7-mf9g-733p
was published
for
nono-py
(pip)
Jun 26, 2026
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Moderate
CVE-2026-48782
was published
for
pydantic-ai
(pip)
Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise
Critical
CVE-2026-55166
was published
for
lemur
(pip)
Jun 25, 2026
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO
Moderate
CVE-2026-55165
was published
for
lemur
(pip)
Jun 25, 2026
Lemur user-update path stores plaintext passwords
Moderate
CVE-2026-55164
was published
for
lemur
(pip)
Jun 25, 2026
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF
Moderate
CVE-2026-55162
was published
for
lemur
(pip)
Jun 25, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
High
CVE-2026-48508
was published
for
lemur
(pip)
Jun 25, 2026
LangGraph SDK has unsafe URL path construction
Moderate
CVE-2026-48776
was published
for
langgraph-sdk
(pip)
Jun 25, 2026
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Moderate
CVE-2026-48775
was published
for
langgraph-checkpoint
(pip)
Jun 25, 2026
justhtml: to_markdown() code-span blank-line breakout enables XSS
Moderate
GHSA-jf6w-2mvx-633j
was published
for
justhtml
(pip)
Jun 25, 2026
Flask-Security has an Open Redirect issue
Moderate
GHSA-w2j7-f3c6-g8cw
was published
for
Flask-Security
(pip)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API