Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,951
Maven
5,000+
npm
4,598
NuGet
787
pip
4,305
Pub
12
RubyGems
983
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

548 advisories

Loading
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 DeadManOfficial
Credited to saivarun3407 and DeadManOfficial
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto
Credited to Ka7arotto
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK Critical
CVE-2026-25592 was published for Microsoft.SemanticKernel.Core (NuGet) Feb 6, 2026
doredry amiteliahu
urioren
Credited to doredry, amiteliahu, and urioren
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__) Critical
CVE-2026-25632 was published for epyt-flow (pip) Feb 4, 2026
syphonetic
Credited to syphonetic
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah
Credited to Speenah
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Weblate is vulnerable to RCE through Git config file overwrite Critical
CVE-2025-68398 was published for Weblate (pip) Dec 18, 2025
secjson nijel
Credited to secjson and nijel
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write Critical
CVE-2025-64712 was published for unstructured (pip) Feb 3, 2026
Gradio allows users to access arbitrary files Critical
CVE-2024-1728 was published for gradio (pip) Sep 25, 2024
PinkDraconian
Credited to PinkDraconian
Workers for local Dask clusters mistakenly listened on public interfaces Critical
CVE-2021-42343 was published for distributed (pip) Jul 15, 2022
Duplicate Advisory: Remote code execution in dask Critical
GHSA-j8fq-86c5-5v2r was published for dask (pip) Oct 27, 2021 withdrawn
vLLM has RCE In Video Processing Critical
CVE-2026-22778 was published for vllm (pip) Feb 2, 2026
dan-sec-ops DarkLight1337
russellb
Credited to dan-sec-ops, DarkLight1337, and russellb
H2O has an External Control of File Name or Path vulnerability Critical
CVE-2024-5986 was published for ai.h2o:h2o-core (Maven) Feb 2, 2026
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection Critical
CVE-2026-25130 was published for cai-framework (pip) Jan 30, 2026
FailButWin 0x5t
Credited to FailButWin and 0x5t
wolfSSL Python module vulnerable to Improper Authentication Critical
CVE-2025-15346 was published for wolfssl (pip) Jan 8, 2026
rhdesmond
Credited to rhdesmond
Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure) Critical
GHSA-vg9h-jx4v-cwx2 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team
Credited to mobasi-team
dcap-qvl has Missing Verification for QE Identity Critical
CVE-2026-22696 was published for @phala/dcap-qvl (npm) Jan 26, 2026
HTTP Request Smuggling: Content-Length Sent Twice in Waitress Critical
CVE-2019-16792 was published for waitress (pip) Dec 20, 2019
Langflow CORS misconfiguration enables Account Takeover and RCE Critical
CVE-2025-34291 was published for langflow (pip) Dec 6, 2025
augustocesarperin
Credited to augustocesarperin
Salesforce Uni2TS has a Code Injection vulnerability Critical
CVE-2026-22584 was published for uni2ts (pip) Jan 10, 2026
augustocesarperin
Credited to augustocesarperin
BackendAI Missing Authentication for Critical Function Critical
CVE-2025-49652 was published for backend.ai (pip) Jun 9, 2025
Yaminyam
Credited to Yaminyam
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
GHSA-5882-5rx9-xgxp was published for Crawl4AI (pip) Jan 16, 2026
terminal-controller-mcp vulnerable to Command Injection Critical
CVE-2025-61492 was published for terminal-controller (pip) Jan 7, 2026
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs Critical
CVE-2025-68664 was published for langchain-core (pip) Dec 23, 2025
0xn3va yardenporat353
VladimirEliTokarev eyurtsev ccurme mdrxy hntrl
Credited to 0xn3va, yardenporat353, VladimirEliTokarev, eyurtsev, ccurme, mdrxy, and hntrl
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database