GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,268 advisories
Filter by severity
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate
CVE-2026-53720
was published
for
pymonocypher
(pip)
Jul 9, 2026
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Moderate
CVE-2026-48987
was published
for
pyload-ng
(pip)
Jul 9, 2026
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
Moderate
CVE-2026-48737
was published
for
pyload-ng
(pip)
Jul 9, 2026
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Moderate
GHSA-mxwc-wh95-pw4g
was published
for
trapster
(pip)
Jul 8, 2026
Weblate SSRF: outbound URL guard misses some private ranges
Moderate
CVE-2026-50127
was published
for
weblate
(pip)
Jul 7, 2026
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion
Moderate
GHSA-f66q-9rf6-8795
was published
for
Flask-Security-Too
(pip)
Jul 7, 2026
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Moderate
GHSA-q855-8rh5-jfgq
was published
for
ha-mcp
(pip)
Jul 7, 2026
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
Moderate
CVE-2026-53533
was published
for
aiosmtplib
(pip)
Jul 7, 2026
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
Moderate
CVE-2026-34225
was published
for
open-webui
(pip)
Jul 7, 2026
Open WebUI allows limited stored XSS vila uploaded html file
Moderate
CVE-2025-46571
was published
for
open-webui
(pip)
Jul 7, 2026
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)
Moderate
CVE-2026-44512
was published
for
onnx
(pip)
Jul 7, 2026
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint
Moderate
CVE-2026-54724
was published
for
kiwitcms
(pip)
Jul 6, 2026
WeasyPrint has CSS Injection via Presentational Hints
Moderate
CVE-2026-49452
was published
for
weasyprint
(pip)
Jul 6, 2026
Open Babel has out-of-bounds read in PQS lowerit (pre-buffer read)
Moderate
CVE-2025-11000
was published
for
openbabel
(pip)
Jul 1, 2026
Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt
Moderate
CVE-2025-10999
was published
for
openbabel
(pip)
Jul 1, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers
Moderate
GHSA-75mw-h36v-2jv7
was published
for
dosage
(pip)
Jun 26, 2026
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
Moderate
CVE-2026-48990
was published
for
joserfc
(pip)
Jun 26, 2026
nono-py's policy JSON accepts unknown security fields
Moderate
GHSA-m8j6-rc5x-wv36
was published
for
nono-py
(pip)
Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion
Moderate
GHSA-9j7f-3r4p-pwh6
was published
for
nono-py
(pip)
Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels
Moderate
GHSA-72w7-mf9g-733p
was published
for
nono-py
(pip)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API