Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

5,685 advisories

Loading
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset High
GHSA-h4g2-xfmw-q2c9 was published for clauster (pip) Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment High
GHSA-g5r6-gv6m-f5jv was published for mcp-atlassian (pip) Jul 10, 2026
rainfantry Credited to rainfantry
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
0xmrma Credited to 0xmrma
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826) Moderate
GHSA-489g-7rxv-6c8q was published for mcp-atlassian (pip) Jul 10, 2026
daniel-mertz Credited to daniel-mertz
Code Index MCP is vulnerable to Uncontrolled Resource Consumption Low
CVE-2026-10692 was published for code-index-mcp (pip) Jun 3, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai and EQSTLab EQSTLab EQSTLab
Mistune: Potential DoS via quadratic-time parsing in parse_link_text High
CVE-2026-49851 was published for mistune (pip) Jul 9, 2026
bhanugoudm041 Credited to bhanugoudm041
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path() Moderate
CVE-2026-5422 was published for jupyter-server (pip) Jun 2, 2026
Apache Airflow has no certificate validation on SMTP STARTTLS connections Moderate
CVE-2026-49267 was published for apache-airflow (pip) Jun 1, 2026
francisbergin Credited to francisbergin
hermes-agent has an Injection issue Low
CVE-2026-10222 was published for hermes-agent (pip) Jun 1, 2026
pypdf: Possible infinite loop when processing threads/articles in writer Moderate
CVE-2026-54651 was published for pypdf (pip) Jul 9, 2026
k0w4lzk1 Credited to k0w4lzk1 and stefan6419846 stefan6419846 stefan6419846
Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory Critical
CVE-2026-50203 was published for apache-airflow-providers-sftp (pip) Jun 17, 2026
vantage6 node has an Improper Access Control issue Moderate
CVE-2026-54533 was published for vantage6 (pip) Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration Moderate
CVE-2026-54445 was published for vantage6 (pip) Jun 5, 2026
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
CVE-2026-48989 was published for windows-mcp (pip) May 21, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` Moderate
CVE-2026-48817 was published for starlette (pip) Jun 15, 2026
ProTip! Advisories are also available from the GraphQL API