Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,669 advisories

Loading
changedetection.io is Vulnerable to SSRF via Watch URLs High
CVE-2026-27696 was published for changedetection.io (pip) Feb 25, 2026
route2shell Credited to route2shell
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function High
CVE-2026-25733 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution High
CVE-2026-27483 was published for mindsdb (pip) Feb 24, 2026
XlabAITeam Credited to XlabAITeam
NiceGUI vulnerable to XSS via Code Injection during client-side element function execution High
CVE-2026-27156 was published for nicegui (pip) Feb 24, 2026
anuraagbaishya Credited to anuraagbaishya, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Apache Superset Improper Authorization allows low-privileged users to bypass access controls High
CVE-2026-23982 was published for apache-superset (pip) Feb 24, 2026
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections High
CVE-2026-23984 was published for apache-superset (pip) Feb 24, 2026
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table High
CVE-2024-56373 was published for apache-airflow (pip) Feb 24, 2026
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option High
CVE-2026-26331 was published for yt-dlp (pip) Feb 23, 2026
dxlerYT Credited to dxlerYT, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming High
CVE-2026-2473 was published for google-cloud-aiplatform (pip) Feb 20, 2026
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint High
CVE-2026-27194 was published for dtale (pip) Feb 19, 2026
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s Credited to N3mes1s
OpenStack Nova calls qemu-img without format restrictions for resize High
CVE-2026-24708 was published for Nova (pip) Feb 18, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
GHSA-97f8-7cmv-76j2 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
NVIDIA NeMo Framework Deserializes Untrusted Data High
CVE-2025-33253 was published for nemo-toolkit (pip) Feb 18, 2026
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
GHSA-gfmx-qqqh-f38q was published for keras (pip) Feb 12, 2026 withdrawn
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool Credited to wiredfool, radarhere, hugovk, and yardenporat353 radarhere radarhere
hugovk hugovk yardenporat353 yardenporat353
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam Credited to XlabAITeam, tl2cents, keenanwgn, and A7um tl2cents tl2cents
keenanwgn keenanwgn A7um A7um
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo Credited to Ryu-GeonWoo
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu Credited to Sirdorblu
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
nirhaas Credited to nirhaas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database