Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,831 advisories

Loading
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files High
CVE-2026-41066 was published for lxml (pip) Apr 21, 2026
Brubbish Credited to Brubbish
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint Moderate
CVE-2026-33866 was published for mlflow (pip) Apr 7, 2026
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection Critical
CVE-2026-41497 was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
Glances has SSRF in IP Plugin via public_api leading to credential leakage High
CVE-2026-35587 was published for glances (pip) Apr 21, 2026
Venukamatchi Credited to Venukamatchi
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315) High
CVE-2026-41496 was published for praisonai (pip) Apr 17, 2026
BerSecHub Credited to BerSecHub
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
CVE-2026-41490 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding Low
CVE-2026-41488 was published for langchain-openai (pip) Apr 16, 2026
deprrous Credited to deprrous
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Moderate
CVE-2026-41481 was published for langchain-text-splitters (pip) Apr 16, 2026
Aeg1sx Credited to Aeg1sx
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass Critical
CVE-2026-39987 was published for marimo (pip) Apr 8, 2026
q1uf3ng Credited to q1uf3ng
FITS GZIP decompression bomb in Pillow High
CVE-2026-40192 was published for pillow (pip) Apr 13, 2026
sammiee5311 Credited to sammiee5311
JupyterHub has an Open Redirect Vulnerability Moderate
CVE-2026-33709 was published for jupyterhub (pip) Apr 3, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
CVE-2026-41426 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Authlib: Cross-site request forging when using cache Moderate
CVE-2026-41425 was published for authlib (pip) Apr 16, 2026
Biopython is vulnerable to doctype XML external entity (XXE) injection through Bio.Entrez Moderate
CVE-2025-68463 was published for biopython (pip) Dec 18, 2025
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
mitmproxy has an LDAP Injection Moderate
CVE-2026-40606 was published for mitmproxy (pip) Apr 14, 2026
yueyueL Credited to yueyueL and mhils mhils mhils
lightrag-hku: JWT Algorithm Confusion Vulnerability Moderate
CVE-2026-39413 was published for lightrag-hku (pip) Apr 8, 2026
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard High
CVE-2026-33533 was published for Glances (pip) Mar 30, 2026
tanishqshah2 Credited to tanishqshah2
Glances Vulnerable to Command Injection via Dynamic Configuration Values High
CVE-2026-33641 was published for Glances (pip) Mar 30, 2026
mith36 Credited to mith36
Giskard has Unsandboxed Jinja2 Template Rendering in ConformityCheck Moderate
CVE-2026-40320 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
GitPython has Command Injection via Git options bypass High
GHSA-rpm5-65cw-6hj4 was published for GitPython (pip) Apr 25, 2026
WesR Credited to WesR
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database