Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

570 advisories

Loading
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID Critical
CVE-2024-25128 was published for Flask-AppBuilder (pip) Feb 28, 2024
parantheses Credited to parantheses and dpgaspar dpgaspar dpgaspar
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py Critical
CVE-2026-33057 was published for mesop (pip) Mar 18, 2026
liyander Credited to liyander
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion Critical
CVE-2026-33054 was published for mesop (pip) Mar 18, 2026
liyander Credited to liyander
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` Critical
CVE-2026-32633 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string Critical
CVE-2024-23346 was published for pymatgen (pip) Feb 21, 2024
SteakEnthusiast Credited to SteakEnthusiast and mkhorton mkhorton mkhorton
Improper Certificate Validation in apache airflow mongo hook Critical
CVE-2024-25141 was published for apache-airflow-providers-mongo (pip) Feb 20, 2024
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint Critical
CVE-2026-33017 was published for langflow (pip) Mar 17, 2026
Aviral2642 Credited to Aviral2642, andifilhohub, and Jkavia andifilhohub andifilhohub
Jkavia Jkavia
MLflow Use of Default Password Authentication Bypass Vulnerability Critical
CVE-2026-2635 was published for mlflow (pip) Feb 21, 2026
Authlib JWS JWK Header Injection: Signature Verification Bypass Critical
CVE-2026-27962 was published for authlib (pip) Mar 16, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution Critical
CVE-2024-27133 was published for mlflow (pip) Feb 24, 2024
oscerd Credited to oscerd and gabby202308 gabby202308 gabby202308
Cross-site Scripting in MLFlow Critical
CVE-2024-27132 was published for mlflow (pip) Feb 24, 2024
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker Critical
CVE-2026-3059 was published for sglang (pip) Mar 12, 2026
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module Critical
CVE-2026-3060 was published for sglang (pip) Mar 12, 2026
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment Critical
CVE-2026-27825 was published for mcp-atlassian (pip) Mar 10, 2026
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
asyncmy is vulnerable to SQL injection via crafted dict keys Critical
CVE-2025-65896 was published for asyncmy (pip) Dec 2, 2025
jfsoden Credited to jfsoden
OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection Critical
CVE-2026-28370 was published for vitrage (pip) Feb 27, 2026
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-vvpj-8cmc-gx39 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection Critical
CVE-2026-27641 was published for flask-reuploaded (pip) Feb 25, 2026
cjaron03 Credited to cjaron03
Langflow has Remote Code Execution in CSV Agent Critical
CVE-2026-27966 was published for langflow (pip) Feb 27, 2026
weblover12 Credited to weblover12, andifilhohub, and Adam-Aghili andifilhohub andifilhohub
Adam-Aghili Adam-Aghili
NLTK has a Zip Slip Vulnerability Critical
CVE-2025-14009 was published for nltk (pip) Feb 18, 2026
leegks Credited to leegks and adamlaurencik adamlaurencik adamlaurencik
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering Critical
CVE-2026-27614 was published for bugsink (pip) Feb 25, 2026
ByamB4 Credited to ByamB4
ormar is vulnerable to SQL Injection through aggregate functions min() and max() Critical
CVE-2026-26198 was published for ormar (pip) Feb 23, 2026
AAtomical Credited to AAtomical
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database