Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,767 advisories

Loading
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Apr 1, 2026
zpbrent Credited to zpbrent, calebrob6, and adamjstewart calebrob6 calebrob6
adamjstewart adamjstewart
Duplicate Advisory: TorchGeo Remote Code Execution Vulnerability High
GHSA-g5vp-j278-8pjh was published for torchgeo (pip) Nov 12, 2024 withdrawn
alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API High
CVE-2026-34400 was published for alerta-server (pip) Mar 31, 2026
dakotacody Credited to dakotacody
MLFlow allows Tracing + Assessments Access High
CVE-2025-15381 was published for mlflow (pip) Mar 27, 2026
SciTokens has an Authorization Bypass via Path Traversal in Scope Validation High
CVE-2026-32727 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking High
CVE-2026-32716 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
onnx Vulnerable to Path Traversal via Symlink High
CVE-2026-27489 was published for onnx (pip) Mar 31, 2026
pi3ch Credited to pi3ch
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities High
CVE-2026-27124 was published for fastmcp (pip) Mar 31, 2026
an7y Credited to an7y
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment High
CVE-2026-34172 was published for giskard-agents (pip) Mar 27, 2026
kodareef5 Credited to kodareef5
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions High
CVE-2026-34070 was published for langchain-core (pip) Mar 27, 2026
jiayuqi7813 Credited to jiayuqi7813, VladimirEliTokarev, Rickidevs, and kennethkcox VladimirEliTokarev VladimirEliTokarev
Rickidevs Rickidevs kennethkcox kennethkcox
Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters High
CVE-2026-33981 was published for changedetection.io (pip) Mar 27, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries High
CVE-2026-33980 was published for adx-mcp-server (pip) Mar 27, 2026
romain-deperne Credited to romain-deperne
Glances Vulnerable to Command Injection via Dynamic Configuration Values High
CVE-2026-33641 was published for Glances (pip) Mar 30, 2026
mith36 Credited to mith36
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard High
CVE-2026-33533 was published for Glances (pip) Mar 30, 2026
tanishqshah2 Credited to tanishqshah2
Modoboa has OS Command Injection High
CVE-2026-27602 was published for modoboa (pip) Mar 25, 2026
ByamB4 Credited to ByamB4
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
offset Credited to offset
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check High
CVE-2026-34046 was published for langflow (pip) Mar 27, 2026
chximn-dt Credited to chximn-dt and AntonioABLima AntonioABLima AntonioABLima
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name High
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda Credited to pwnpanda
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml High
CVE-2026-33744 was published for bentoml (pip) Mar 26, 2026
golang-not-rust Credited to golang-not-rust
OpenHands is Vulnerable to Command Injection through its Git Diff Handler High
CVE-2026-33718 was published for openhands (pip) Mar 25, 2026
yueyueL Credited to yueyueL and ESPanda666 ESPanda666 ESPanda666
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions High
CVE-2026-33430 was published for briefcase (pip) Mar 23, 2026
lrandersson Credited to lrandersson
langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading High
CVE-2026-33497 was published for langflow (pip) Mar 20, 2026
r00tuser111 Credited to r00tuser111, erichare, and AntonioABLima erichare erichare
AntonioABLima AntonioABLima
Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components High
CVE-2025-70887 was published for signify (pip) Mar 25, 2026
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out High
CVE-2026-27893 was published for vllm (pip) Mar 27, 2026
Wernerina Credited to Wernerina and russellb russellb russellb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database