Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

32 advisories

Loading
vLLM has SSRF Protection Bypass Moderate
CVE-2026-25960 was published for vllm (pip) Mar 9, 2026
RacerZ-fighting Credited to RacerZ-fighting, russellb, DarkLight1337, and Isotr0py russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py
vLLM has RCE In Video Processing Critical
CVE-2026-22778 was published for vllm (pip) Feb 2, 2026
dan-sec-ops Credited to dan-sec-ops, DarkLight1337, and russellb DarkLight1337 DarkLight1337
russellb russellb
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector High
CVE-2026-24779 was published for vllm (pip) Jan 28, 2026
leishilong Credited to leishilong, leung-yao, Isotr0py, and russellb leung-yao leung-yao
Isotr0py Isotr0py russellb russellb
vLLM affected by RCE via auto_map dynamic module loading during model initialization High
CVE-2026-22807 was published for vllm (pip) Jan 21, 2026
zaddy6 Credited to zaddy6, arthurgervais, DarkLight1337, and russellb arthurgervais arthurgervais
DarkLight1337 DarkLight1337 russellb russellb
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Credited to Vancir, Isotr0py, DarkLight1337, and russellb Isotr0py Isotr0py
DarkLight1337 DarkLight1337 russellb russellb
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs` Moderate
CVE-2025-62426 was published for vllm (pip) Nov 20, 2025
russellb Credited to russellb, Isotr0py, and DarkLight1337 Isotr0py Isotr0py
DarkLight1337 DarkLight1337
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs High
CVE-2025-62372 was published for vllm (pip) Nov 20, 2025
DarkLight1337 Credited to DarkLight1337, ywang96, Isotr0py, and russellb ywang96 ywang96
Isotr0py Isotr0py russellb russellb
vLLM deserialization vulnerability leading to DoS and potential RCE High
CVE-2025-62164 was published for vllm (pip) Nov 20, 2025
omriaxion Credited to omriaxion, russellb, DarkLight1337, Isotr0py, ywang96, and davidatom russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py ywang96 ywang96 davidatom davidatom
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class High
CVE-2025-6242 was published for vllm (pip) Oct 7, 2025
kexinoh Credited to kexinoh, d3do-23, lonelyuan, huachenheli, DarkLight1337, russellb, and sidhpurwala-huzaifa d3do-23 d3do-23
lonelyuan lonelyuan huachenheli huachenheli DarkLight1337 DarkLight1337 russellb russellb sidhpurwala-huzaifa sidhpurwala-huzaifa
vLLM is vulnerable to timing attack at bearer auth High
CVE-2025-59425 was published for vllm (pip) Oct 7, 2025
NiuBlibing Credited to NiuBlibing and russellb russellb russellb
vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder High
CVE-2025-9141 was published for vllm (pip) Aug 21, 2025
levigross Credited to levigross and russellb russellb russellb
vllm API endpoints vulnerable to Denial of Service Attacks High
CVE-2025-48956 was published for vllm (pip) Aug 21, 2025
jperezdealgaba Credited to jperezdealgaba, russellb, and taneem-ibrahim russellb russellb
taneem-ibrahim taneem-ibrahim
vLLM Tool Schema allows DoS via Malformed pattern and type Fields Moderate
CVE-2025-48944 was published for vllm (pip) May 28, 2025
russellb Credited to russellb and Jason-CKY Jason-CKY Jason-CKY
vLLM allows clients to crash the openai server with invalid regex Moderate
CVE-2025-48943 was published for vllm (pip) May 28, 2025
g-eoj Credited to g-eoj, russellb, and Jason-CKY russellb russellb
Jason-CKY Jason-CKY
vLLM DOS: Remotely kill vllm over http with invalid JSON schema Moderate
CVE-2025-48942 was published for vllm (pip) May 28, 2025
derekhiggins Credited to derekhiggins, Jason-CKY, and russellb Jason-CKY Jason-CKY
russellb russellb
vLLM has a Weakness in MultiModalHasher Image Hashing Implementation Moderate
CVE-2025-46722 was published for vllm (pip) May 28, 2025
kexinoh Credited to kexinoh, DarkLight1337, and russellb DarkLight1337 DarkLight1337
russellb russellb
Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching Low
CVE-2025-46570 was published for vllm (pip) May 28, 2025
russellb Credited to russellb, dr75, and DarkLight1337 dr75 dr75
DarkLight1337 DarkLight1337
vLLM vulnerable to Regular Expression Denial of Service Moderate
GHSA-j828-28rj-hfhp was published for vllm (pip) May 28, 2025
kexinoh Credited to kexinoh, russellb, and mgoin russellb russellb
mgoin mgoin
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py` Moderate
CVE-2025-48887 was published for vllm (pip) May 28, 2025
kexinoh Credited to kexinoh, russellb, and mgoin russellb russellb
mgoin mgoin
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service Critical
CVE-2025-47277 was published for vllm (pip) May 20, 2025
kikayli Credited to kikayli, russellb, and funscoietyxboyz russellb russellb
funscoietyxboyz funscoietyxboyz
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration High
CVE-2025-30165 was published for vllm (pip) May 6, 2025
avioligo Credited to avioligo and russellb russellb russellb
phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service Moderate
CVE-2025-46560 was published for vllm (pip) Apr 29, 2025
kexinoh Credited to kexinoh, d3do-23, lonelyuan, russellb, DarkLight1337, and Isotr0py d3do-23 d3do-23
lonelyuan lonelyuan russellb russellb DarkLight1337 DarkLight1337 Isotr0py Isotr0py
vLLM Vulnerable to Remote Code Execution via Mooncake Integration Critical
CVE-2025-32444 was published for vllm (pip) Apr 29, 2025
kexinoh Credited to kexinoh, ShangmingCai, and russellb ShangmingCai ShangmingCai
russellb russellb
Data exposure via ZeroMQ on multi-node vLLM deployment High
CVE-2025-30202 was published for vllm (pip) Apr 29, 2025
russellb Credited to russellb and kexinoh kexinoh kexinoh
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0 Critical
GHSA-ggpf-24jw-3fcw was published for vllm (pip) Apr 23, 2025
azraelxuemo Credited to azraelxuemo and russellb russellb russellb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database