Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,885 advisories

Loading
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint Moderate
CVE-2026-33866 was published for mlflow (pip) Apr 7, 2026
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions Moderate
GHSA-rfgh-63mg-8pwm was published for pyload-ng (pip) Apr 8, 2026
komi22 Credited to komi22
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class Moderate
CVE-2026-1839 was published for transformers (pip) Apr 7, 2026
lightrag-hku: JWT Algorithm Confusion Vulnerability Moderate
CVE-2026-39413 was published for lightrag-hku (pip) Apr 8, 2026
JWCrypto: JWE ZIP decompression bomb Moderate
CVE-2026-39373 was published for jwcrypto (pip) Apr 8, 2026
hkmj19 Credited to hkmj19
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass Moderate
CVE-2026-35592 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng Moderate
CVE-2026-35586 was published for pyload-ng (pip) Apr 8, 2026
offset Credited to offset
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write Moderate
CVE-2026-35492 was published for kedro-datasets (pip) Apr 6, 2026
redyank Credited to redyank
OpenStack Keystone Denial of Service vulnerability via a large HTTP request Moderate
CVE-2013-0270 was published for keystone (pip) May 5, 2022
OpenStack Keystone intended authorization restrictions bypass Moderate
CVE-2012-5571 was published for Keystone (pip) May 17, 2022
D-Tale: Remote Code Execution through redis/shelf storage Moderate
CVE-2026-35052 was published for dtale (pip) Apr 3, 2026
QiaoNPC Credited to QiaoNPC
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server Moderate
CVE-2026-34756 was published for vllm (pip) Apr 3, 2026
ez-lbz Credited to ez-lbz, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` Moderate
CVE-2026-34753 was published for vllm (pip) Apr 3, 2026
Fushuling Credited to Fushuling, L2ncE, TsingShui, l2yyd5, Danthology, arthur-stat, BoyiZhao, russellb, jperezdealgaba, and Victor-code-Y L2ncE L2ncE
TsingShui TsingShui l2yyd5 l2yyd5 Danthology Danthology arthur-stat arthur-stat BoyiZhao BoyiZhao russellb russellb jperezdealgaba jperezdealgaba Victor-code-Y Victor-code-Y
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) Moderate
CVE-2026-34052 was published for jupyterhub-ltiauthenticator (pip) Apr 3, 2026
yueyueL Credited to yueyueL
JupyterHub has an Open Redirect Vulnerability Moderate
CVE-2026-33709 was published for jupyterhub (pip) Apr 3, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() Moderate
CVE-2026-34939 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp Moderate
CVE-2026-26981 was published for OpenEXR (pip) Apr 6, 2026
JungWooJJING Credited to JungWooJJING
OpenEXR has use after free in PyObject_StealAttrString Moderate
CVE-2025-64183 was published for OpenEXR (pip) Apr 6, 2026
MegaManSec Credited to MegaManSec
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel() Moderate
CVE-2025-64182 was published for OpenEXR (pip) Apr 6, 2026
MegaManSec Credited to MegaManSec
FastMCP has a Command Injection vulnerability - Gemini CLI Moderate
CVE-2025-64340 was published for fastmcp (pip) Mar 31, 2026
nil340 Credited to nil340
alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API Moderate
CVE-2026-34400 was published for alerta-server (pip) Mar 31, 2026
dakotacody Credited to dakotacody
Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode Moderate
CVE-2026-34730 was published for copier (pip) Apr 1, 2026
evipepota Credited to evipepota and sisp sisp sisp
Copier `_subdirectory` allows template root escape via parent-directory traversal Moderate
CVE-2026-34726 was published for copier (pip) Apr 1, 2026
evipepota Credited to evipepota and sisp sisp sisp
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database