Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
2,989
Maven
5,000+
npm
4,699
NuGet
788
pip
4,328
Pub
12
RubyGems
987
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

4,328 advisories

Loading
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s
Credited to N3mes1s
pypdf possibly has long runtimes for malformed FlateDecode streams Moderate
CVE-2026-27026 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park stefan6419846
Credited to CheonWoong-Park and stefan6419846
pypdf has possible long runtimes/large memory usage for large /ToUnicode streams Moderate
CVE-2026-27025 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park stefan6419846
Credited to CheonWoong-Park and stefan6419846
pypdf has a possible infinite loop when processing TreeObject Moderate
CVE-2026-27024 was published for pypdf (pip) Feb 18, 2026
CheonWoong-Park stefan6419846
Credited to CheonWoong-Park and stefan6419846
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
GHSA-97f8-7cmv-76j2 was published for picklescan (pip) Feb 18, 2026
zpbrent
Credited to zpbrent
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC vineethsai7
Credited to RichardoC and vineethsai7
Indico Affected by Cross-Site-Scripting via material uploads Moderate
CVE-2026-25739 was published for indico (pip) Feb 17, 2026
dreyercito
Credited to dreyercito
Indico has Server-Side Request Forgery (SSRF) in multiple places Moderate
CVE-2026-25738 was published for indico (pip) Feb 17, 2026
rahulgovind inkz
yueyueL
Credited to rahulgovind, inkz, and yueyueL
Weblate has an argument injection in management console Moderate
CVE-2026-24126 was published for Weblate (pip) Feb 17, 2026
alexb616 nijel
Credited to alexb616 and nijel
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
MindsDB affected by a SSRF vulnerability Low
CVE-2026-2531 was published for MindsDB (pip) Feb 16, 2026
sqlparse: formatting list of tuples leads to denial of service Moderate
GHSA-27jp-wm6q-gp25 was published for sqlparse (pip) Feb 13, 2026
jacobtylerwalls
Credited to jacobtylerwalls
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
GHSA-gfmx-qqqh-f38q was published for keras (pip) Feb 12, 2026 withdrawn
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages Low
CVE-2026-26013 was published for langchain-core (pip) Feb 11, 2026
Finder16
Credited to Finder16
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool radarhere
hugovk yardenporat353
Credited to wiredfool, radarhere, hugovk, and yardenporat353
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam tl2cents
keenanwgn A7um
Credited to XlabAITeam, tl2cents, keenanwgn, and A7um
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie
Credited to scottaddie
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo
Credited to Ryu-GeonWoo
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
Litestar's FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) Moderate
CVE-2026-25480 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Litestar's AllowedHosts has a validation bypass due to unescaped regex metacharacters in configured host patterns Moderate
CVE-2026-25479 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access Moderate
CVE-2026-22922 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407 tei-dunamu
Credited to saivarun3407 and tei-dunamu
Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users Moderate
CVE-2026-24098 was published for apache-airflow (pip) Feb 9, 2026
saivarun3407
Credited to saivarun3407
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database