Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

4,317 advisories

Loading
Django has an SQL Injection issue Moderate
CVE-2026-1312 was published for Django (pip) Feb 3, 2026
sunnypatell
Credited to sunnypatell
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 tei-dunamu
Credited to saivarun3407 and tei-dunamu
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls
Credited to jacobtylerwalls
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam tl2cents
keenanwgn A7um
Credited to XlabAITeam, tl2cents, keenanwgn, and A7um
Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
CVE-2026-1669 was published for keras (pip) Feb 12, 2026
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
CVE-2026-26216 was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs Critical
CVE-2026-26217 was published for crawl4ai (pip) Jan 16, 2026
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie
Credited to scottaddie
MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability Moderate
CVE-2026-25905 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool radarhere
hugovk yardenporat353
Credited to wiredfool, radarhere, hugovk, and yardenporat353
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
MCP Run Python Deno Sandbox Misconfiguration Allows SSRF Attacks via Localhost Access Moderate
CVE-2026-25904 was published for mcp-run-python (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages Low
CVE-2026-26013 was published for langchain-core (pip) Feb 11, 2026
Finder16
Credited to Finder16
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo
Credited to Ryu-GeonWoo
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows High
CVE-2025-53000 was published for nbconvert (pip) Dec 18, 2025
dlqqq krassowski
yohannslm
Credited to dlqqq, krassowski, and yohannslm
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns Moderate
CVE-2026-25479 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Death-Incarnate
Credited to saivarun3407 and Death-Incarnate
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto
Credited to Ka7arotto
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write High
CVE-2026-25732 was published for nicegui (pip) Feb 5, 2026
k14uz falkoschindler
evnchn
Credited to k14uz, falkoschindler, and evnchn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database