GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
5,685 advisories
Filter by severity
daphne: WebSocket handshake header smuggling through autobahn splitlines() mishandling of non-standard line separators
Low
CVE-2026-44546
was published
for
daphne
(pip)
Jun 3, 2026
daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames
Moderate
CVE-2026-44545
was published
for
daphne
(pip)
Jun 3, 2026
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment
High
GHSA-g5r6-gv6m-f5jv
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary server-side file read via attachment upload
High
GHSA-wm45-qh3g-v83f
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
High
CVE-2026-54071
was published
for
BabelDOC
(pip)
Jul 10, 2026
MLflow: Environment variable injection in AI Gateway secrets enables server-side credential exfiltration
Critical
CVE-2026-4035
was published
for
mlflow
(pip)
Jun 3, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
Code Index MCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10692
was published
for
code-index-mcp
(pip)
Jun 3, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory
Moderate
CVE-2026-8643
was published
for
pip
(pip)
Jun 1, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
High
CVE-2026-49851
was published
for
mistune
(pip)
Jul 9, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path()
Moderate
CVE-2026-5422
was published
for
jupyter-server
(pip)
Jun 2, 2026
Apache Airflow has no certificate validation on SMTP STARTTLS connections
Moderate
CVE-2026-49267
was published
for
apache-airflow
(pip)
Jun 1, 2026
hermes-agent has an Injection issue
Low
CVE-2026-10222
was published
for
hermes-agent
(pip)
Jun 1, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory
Critical
CVE-2026-50203
was published
for
apache-airflow-providers-sftp
(pip)
Jun 17, 2026
vantage6 node has an Improper Access Control issue
Moderate
CVE-2026-54533
was published
for
vantage6
(pip)
Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration
Moderate
CVE-2026-54445
was published
for
vantage6
(pip)
Jun 5, 2026
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
High
CVE-2026-48989
was published
for
windows-mcp
(pip)
May 21, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
Moderate
CVE-2026-48817
was published
for
starlette
(pip)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API