Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,268 advisories

Loading
0xmrma Credited to 0xmrma
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826) Moderate
GHSA-489g-7rxv-6c8q was published for mcp-atlassian (pip) Jul 10, 2026
daniel-mertz Credited to daniel-mertz
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
pypdf: Possible infinite loop when processing threads/articles in writer Moderate
CVE-2026-54651 was published for pypdf (pip) Jul 9, 2026
k0w4lzk1 Credited to k0w4lzk1 and stefan6419846 stefan6419846 stefan6419846
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small Moderate
CVE-2026-53720 was published for pymonocypher (pip) Jul 9, 2026
hextheshadow Credited to hextheshadow
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager Moderate
CVE-2026-48987 was published for pyload-ng (pip) Jul 9, 2026
pevinkumar10 Credited to pevinkumar10
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs Moderate
CVE-2026-48737 was published for pyload-ng (pip) Jul 9, 2026
tonghuaroot Credited to tonghuaroot
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler Moderate
GHSA-mxwc-wh95-pw4g was published for trapster (pip) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
Weblate SSRF: outbound URL guard misses some private ranges Moderate
CVE-2026-50127 was published for weblate (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot and nijel nijel nijel
Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion Moderate
GHSA-f66q-9rf6-8795 was published for Flask-Security-Too (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path Moderate
GHSA-q855-8rh5-jfgq was published for ha-mcp (pip) Jul 7, 2026
bharat Credited to bharat
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address Moderate
CVE-2026-53533 was published for aiosmtplib (pip) Jul 7, 2026
tonghuaroot Credited to tonghuaroot
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality Moderate
CVE-2026-34225 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI allows limited stored XSS vila uploaded html file Moderate
CVE-2025-46571 was published for open-webui (pip) Jul 7, 2026
choket Credited to choket
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs) Moderate
CVE-2026-44512 was published for onnx (pip) Jul 7, 2026
MinicoAI Credited to MinicoAI
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint Moderate
CVE-2026-54724 was published for kiwitcms (pip) Jul 6, 2026
martindios Credited to martindios
WeasyPrint has CSS Injection via Presentational Hints Moderate
CVE-2026-49452 was published for weasyprint (pip) Jul 6, 2026
AyushParkara Credited to AyushParkara
Open Babel has out-of-bounds read in PQS lowerit (pre-buffer read) Moderate
CVE-2025-11000 was published for openbabel (pip) Jul 1, 2026
Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt Moderate
CVE-2025-10999 was published for openbabel (pip) Jul 1, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers Moderate
GHSA-75mw-h36v-2jv7 was published for dosage (pip) Jun 26, 2026
yueyueL Credited to yueyueL
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
nono-py's policy JSON accepts unknown security fields Moderate
GHSA-m8j6-rc5x-wv36 was published for nono-py (pip) Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion Moderate
GHSA-9j7f-3r4p-pwh6 was published for nono-py (pip) Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels Moderate
GHSA-72w7-mf9g-733p was published for nono-py (pip) Jun 26, 2026
lukehinds Credited to lukehinds
ProTip! Advisories are also available from the GraphQL API