Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,517 advisories

Loading
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection Critical
CVE-2026-27641 was published for flask-reuploaded (pip) Feb 25, 2026
cjaron03 Credited to cjaron03
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function High
CVE-2026-25733 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has Username Enumeration via Login Error Message Moderate
CVE-2026-25138 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function Moderate
CVE-2026-26717 was published for richie (pip) Feb 25, 2026
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams Low
CVE-2026-27628 was published for pypdf (pip) Feb 25, 2026
rampageservices Credited to rampageservices
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution High
CVE-2026-27483 was published for mindsdb (pip) Feb 24, 2026
XlabAITeam Credited to XlabAITeam
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution Moderate
CVE-2026-27156 was published for nicegui (pip) Feb 24, 2026
anuraagbaishya Credited to anuraagbaishya, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Isso affected by Stored XSS via comment website field Moderate
CVE-2026-27469 was published for isso (pip) Feb 24, 2026
ByamB4 Credited to ByamB4 and jelmer jelmer jelmer
Apache Superset allows authenticated users to view sensitive data without explicit permissions Low
CVE-2026-23983 was published for apache-superset (pip) Feb 24, 2026
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections High
CVE-2026-23984 was published for apache-superset (pip) Feb 24, 2026
Apache Superset allows privileged users to conduct error-based SQL Injection Moderate
CVE-2026-23980 was published for apache-superset (pip) Feb 24, 2026
Apache Superset Improper Authorization allows low-privileged users to bypass access controls High
CVE-2026-23982 was published for apache-superset (pip) Feb 24, 2026
Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine Moderate
CVE-2026-23969 was published for apache-superset (pip) Feb 24, 2026
Apache Airflow exposes sensitive information in its log files Moderate
CVE-2025-27555 was published for apache-airflow (pip) Feb 24, 2026
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table High
CVE-2024-56373 was published for apache-airflow (pip) Feb 24, 2026
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option High
CVE-2026-26331 was published for yt-dlp (pip) Feb 23, 2026
dxlerYT Credited to dxlerYT, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
ormar is vulnerable to SQL Injection through aggregate functions min() and max() Critical
CVE-2026-26198 was published for ormar (pip) Feb 23, 2026
AAtomical Credited to AAtomical
datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache Low
CVE-2026-2970 was published for datapizza-ai-core (pip) Feb 23, 2026
datapizza-ai: Server-Side Template Injection in ChatPromptTemplate via Jinja2 Template Handler Low
CVE-2026-2969 was published for datapizza-ai-core (pip) Feb 23, 2026
Apache Airflow error reporting may expose full kwargs Moderate
CVE-2025-65995 was published for apache-airflow (pip) Feb 21, 2026
MLflow Use of Default Password Authentication Bypass Vulnerability Critical
CVE-2026-2635 was published for mlflow (pip) Feb 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database