Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,483 advisories

Loading
Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit Moderate
CVE-2026-4269 was published for bedrock-agentcore-starter-toolkit (pip) Mar 17, 2026
AWS API MCP File Access Restriction Bypass Moderate
CVE-2026-4270 was published for awslabs.aws-api-mcp-server (pip) Mar 17, 2026
Vanna has a SQL injection in the remove_training_data function Moderate
CVE-2026-4229 was published for vanna (pip) Mar 16, 2026
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint Critical
CVE-2026-33017 was published for langflow (pip) Mar 17, 2026
Aviral2642 Credited to Aviral2642, andifilhohub, and Jkavia andifilhohub andifilhohub
Jkavia Jkavia
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability High
CVE-2026-2033 was published for mlflow (pip) Feb 21, 2026
MLflow Use of Default Password Authentication Bypass Vulnerability Critical
CVE-2026-2635 was published for mlflow (pip) Feb 21, 2026
MLflow has a command injection in mlflow/sagemaker/__init__.py High
CVE-2025-14287 was published for mlflow (pip) Mar 16, 2026
Denial of Service in pyasn1 via Unbounded Recursion High
CVE-2026-30922 was published for pyasn1 (pip) Mar 17, 2026
romanticpragmatism Credited to romanticpragmatism
Uncontrolled recursion DoS in JustHTML() via deeply nested HTML High
GHSA-v7cf-c9rm-wm3j was published for justhtml (pip) Mar 17, 2026
kq5y Credited to kq5y
Apache Superset OS Command Injection High
CVE-2020-13948 was published for apache-superset (pip) May 24, 2022
langchain Server-Side Request Forgery vulnerability Low
CVE-2024-0243 was published for langchain (pip) Feb 26, 2024
Apache Libcloud does not verify SSL certificates for HTTPS connections High
CVE-2010-4340 was published for apache-libcloud (pip) May 17, 2022
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox High
CVE-2026-32640 was published for simpleeval (pip) Mar 13, 2026
ByamB4 Credited to ByamB4 and danthedeckie danthedeckie danthedeckie
FastMCP OAuth Proxy token reuse across MCP servers High
CVE-2025-69196 was published for fastmcp (pip) Mar 16, 2026
an7y Credited to an7y
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding High
CVE-2026-28498 was published for authlib (pip) Mar 16, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle High
CVE-2026-28490 was published for authlib (pip) Mar 16, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
Authlib JWS JWK Header Injection: Signature Verification Bypass Critical
CVE-2026-27962 was published for authlib (pip) Mar 16, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
Stored XSS in Memray-generated HTML reports via unescaped command-line metadata Low
CVE-2026-32722 was published for memray (pip) Mar 16, 2026
0xmrma Credited to 0xmrma
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers High
CVE-2026-32634 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` Critical
CVE-2026-32633 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding Moderate
CVE-2026-32632 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements High
CVE-2026-32611 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft High
CVE-2026-32610 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials High
CVE-2026-32609 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database