Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,623
Maven
5,000+
npm
5,000+
NuGet
927
pip
4,843
Pub
13
RubyGems
1,045
Rust
1,271
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,843 advisories

Loading
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` High
CVE-2026-42031 was published for ckan (pip) Apr 29, 2026
ddd Credited to ddd
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber High
CVE-2026-42352 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider High
CVE-2026-42351 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
CKAN has CSRF exemption primed by anonymous requests Moderate
CVE-2026-41255 was published for ckan (pip) Apr 29, 2026
Shirshaw64p Credited to Shirshaw64p
CKAN has no certificate validation on STMP connection Moderate
CVE-2026-41132 was published for ckan (pip) Apr 29, 2026
francisbergin Credited to francisbergin
beets has a Cross-site Scripting vulnerability Moderate
CVE-2026-42052 was published for beets (pip) Apr 29, 2026
FORIMOC Credited to FORIMOC and Yuremin Yuremin Yuremin
GitPython has Command Injection via Git options bypass High
GHSA-rpm5-65cw-6hj4 was published for GitPython (pip) Apr 25, 2026
WesR Credited to WesR
GitPython: Unsafe option check validates multi_options before shlex.split transformation High
GHSA-x2qx-6953-8485 was published for GitPython (pip) Apr 25, 2026
Texuguinho1234 Credited to Texuguinho1234
LiteLLM: Authenticated command execution via MCP stdio test endpoints High
GHSA-v4p8-mg3p-g94g was published for litellm (pip) Apr 25, 2026
wlc: print_html outputs API data without HTML escaping Moderate
GHSA-gx2m-mcc2-r4p3 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
LiteLLM has SQL Injection in Proxy API key verification Critical
GHSA-r75f-5x8p-qvmc was published for litellm (pip) Apr 24, 2026
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
LiteLLM: Server-Side Template Injection in /prompts/test endpoint High
GHSA-xqmj-j6mv-4862 was published for litellm (pip) Apr 24, 2026
AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache Moderate
CVE-2026-6550 was published for aws-encryption-sdk (pip) Apr 24, 2026
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
InstructLab Includes Functionality from Untrusted Control Sphere High
CVE-2026-6859 was published for instructlab (pip) Apr 22, 2026
InstructLab vulnerable to Path Traversal High
CVE-2026-6855 was published for instructlab (pip) Apr 22, 2026
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files High
CVE-2026-41066 was published for lxml (pip) Apr 21, 2026
Brubbish Credited to Brubbish
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding Moderate
CVE-2026-39378 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Moderate
CVE-2026-35588 was published for glances (pip) Apr 21, 2026
morimori-dev Credited to morimori-dev
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS High
CVE-2026-34839 was published for Glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database