Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,647 advisories

Loading
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL High
CVE-2026-25640 was published for pydantic-ai (pip) Feb 6, 2026
doredry urioren
amiteliahu
Credited to doredry, urioren, and amiteliahu
Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling High
CVE-2026-25580 was published for pydantic-ai (pip) Feb 6, 2026
YuvalElbar6 doredry
Credited to YuvalElbar6 and doredry
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write High
CVE-2026-25732 was published for nicegui (pip) Feb 5, 2026
k14uz falkoschindler
evnchn
Credited to k14uz, falkoschindler, and evnchn
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability High
CVE-2026-1707 was published for pgadmin4 (pip) Feb 5, 2026
Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-8x2r-v9x5-3qgh was published for pdfminer.six (pip) Feb 3, 2026 withdrawn
Boltz contains an insecure deserialization vulnerability in its molecule loading functionality High
CVE-2025-70560 was published for boltz (pip) Feb 3, 2026
Django has an SQL Injection issue High
CVE-2026-1312 was published for Django (pip) Feb 3, 2026
Django has an SQL Injection issue High
CVE-2026-1287 was published for Django (pip) Feb 3, 2026
Django has an SQL Injection issue High
CVE-2026-1207 was published for Django (pip) Feb 3, 2026
SageMaker Python SDK has Exposed HMAC High
CVE-2026-1777 was published for sagemaker (pip) Feb 2, 2026
SageMaker Python SDK has Insecure TLS Configuration High
CVE-2026-1778 was published for sagemaker (pip) Feb 2, 2026
picklescan missing detection by simple obfuscation of a `builtins.eval` call High
GHSA-9m3x-qqw2-h32h was published for picklescan (pip) Feb 2, 2026
ogrisel
Credited to ogrisel
mlflow Creates of Temporary File in Directory with Insecure Permissions High
CVE-2025-10279 was published for mlflow (pip) Feb 2, 2026
Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption High
CVE-2026-0599 was published for text-generation (pip) Feb 2, 2026
Lollms has an Improper Access Control vulnerability High
CVE-2026-1117 was published for lollms (pip) Feb 2, 2026
Salt Authentication Protocol Version Downgrade Allows Minion Impersonation High
CVE-2025-62349 was published for salt (pip) Jan 30, 2026
Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload High
CVE-2025-62348 was published for salt (pip) Jan 30, 2026
geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure High
CVE-2025-69662 was published for geopandas (pip) Jan 30, 2026
AutoGPT is Vulnerable to RCE via Disabled Block Execution High
CVE-2026-24780 was published for agpt (pip) Jan 29, 2026
rahulgovind
Credited to rahulgovind
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector High
CVE-2026-24779 was published for vllm (pip) Jan 28, 2026
leishilong leung-yao
Isotr0py russellb
Credited to leishilong, leung-yao, Isotr0py, and russellb
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files High
CVE-2026-24747 was published for pytorch (pip) Jan 27, 2026
azraelxuemo
Credited to azraelxuemo
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field High
CVE-2026-24490 was published for mobsf (pip) Jan 26, 2026
smaranchand
Credited to smaranchand
Python-Multipart has Arbitrary File Write via Non-Default Configuration High
CVE-2026-24486 was published for python-multipart (pip) Jan 26, 2026
mwlik imenyoo2
Credited to mwlik and imenyoo2
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database