Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

560 advisories

Loading
OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection Critical
CVE-2026-28370 was published for vitrage (pip) Feb 27, 2026
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-vvpj-8cmc-gx39 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection Critical
CVE-2026-27641 was published for flask-reuploaded (pip) Feb 25, 2026
cjaron03 Credited to cjaron03
Langflow has Remote Code Execution in CSV Agent Critical
CVE-2026-27966 was published for langflow (pip) Feb 27, 2026
weblover12 Credited to weblover12, andifilhohub, and Adam-Aghili andifilhohub andifilhohub
Adam-Aghili Adam-Aghili
NLTK has a Zip Slip Vulnerability Critical
CVE-2025-14009 was published for nltk (pip) Feb 18, 2026
leegks Credited to leegks and adamlaurencik adamlaurencik adamlaurencik
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
ormar is vulnerable to SQL Injection through aggregate functions min() and max() Critical
CVE-2026-26198 was published for ormar (pip) Feb 23, 2026
AAtomical Credited to AAtomical
Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK Critical
CVE-2026-25592 was published for Microsoft.SemanticKernel.Core (NuGet) Feb 6, 2026
doredry Credited to doredry, amiteliahu, and urioren amiteliahu amiteliahu
urioren urioren
Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution Critical
CVE-2026-26030 was published for semantic-kernel (pip) Feb 19, 2026
amiteliahu Credited to amiteliahu, doredry, and urioren doredry doredry
urioren urioren
Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Parameter Critical
CVE-2026-26216 was published for Crawl4AI (pip) Jan 16, 2026
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs Critical
CVE-2026-26217 was published for crawl4ai (pip) Jan 16, 2026
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie Credited to scottaddie
Keylime Missing Authentication for Critical Function and Improper Authentication Critical
CVE-2026-1709 was published for keylime (pip) Feb 6, 2026
saivarun3407 Credited to saivarun3407 and Death-Incarnate Death-Incarnate Death-Incarnate
Duplicate Advisory: Keylime Missing Authentication for Critical Function and Improper Authentication Critical
GHSA-27jc-jmp8-qfw5 was published for keylime (pip) Feb 6, 2026 withdrawn
Langroid has WAF Bypass Leading to RCE in TableChatAgent Critical
CVE-2026-25481 was published for langroid (pip) Feb 2, 2026
Ka7arotto Credited to Ka7arotto
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__) Critical
CVE-2026-25632 was published for epyt-flow (pip) Feb 4, 2026
syphonetic Credited to syphonetic
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication Critical
CVE-2026-25505 was published for bambuddy (pip) Feb 2, 2026
Speenah Credited to Speenah
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Weblate is vulnerable to RCE through Git config file overwrite Critical
CVE-2025-68398 was published for Weblate (pip) Dec 18, 2025
secjson Credited to secjson and nijel nijel nijel
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write Critical
CVE-2025-64712 was published for unstructured (pip) Feb 3, 2026
Gradio allows users to access arbitrary files Critical
CVE-2024-1728 was published for gradio (pip) Sep 25, 2024
PinkDraconian Credited to PinkDraconian
Workers for local Dask clusters mistakenly listened on public interfaces Critical
CVE-2021-42343 was published for distributed (pip) Jul 15, 2022
Duplicate Advisory: Remote code execution in dask Critical
GHSA-j8fq-86c5-5v2r was published for dask (pip) Oct 27, 2021 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database