Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,694
Maven
5,000+
npm
5,000+
NuGet
934
pip
4,931
Pub
13
RubyGems
1,053
Rust
1,322
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,931 advisories

Loading
axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-7f4h-6264-89fr was published for axonflow (pip) May 6, 2026
Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor) High
CVE-2026-0897 was published for keras (pip) May 6, 2026
HyperPS Credited to HyperPS
pyquorum: Timing side‑channel in mul_mod Moderate
CVE-2026-44368 was published for pyquorum (pip) May 6, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
misp-modules has nsafe remote resource fetching in expansion Moderate
CVE-2026-44363 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass) High
CVE-2026-44334 was published for praisonai (pip) May 6, 2026
everping Credited to everping
PraisonAI has an SSRF bypass High
CVE-2026-44335 was published for praisonaiagents (pip) May 6, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) Low
GHSA-7mw3-79jq-xc7f was published for aiograpi (pip) May 6, 2026
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath High
CVE-2026-44244 was published for GitPython (pip) May 6, 2026
daridor9 Credited to daridor9
python-multipart has Denial of Service via unbounded multipart part headers High
CVE-2026-42561 was published for python-multipart (pip) May 6, 2026
SinhSinhAn Credited to SinhSinhAn and intadd intadd intadd
vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters Moderate
CVE-2026-44223 was published for vllm (pip) May 6, 2026
Yunzez Credited to Yunzez
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup High
CVE-2026-44307 was published for Mako (pip) May 6, 2026
0xHunSec Credited to 0xHunSec
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
Granian vulnerable to DoS via WSGI response header panic Moderate
CVE-2026-42545 was published for granian (pip) May 6, 2026
Z-Bra0 Credited to Z-Bra0
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic High
CVE-2026-42544 was published for granian (pip) May 6, 2026
Z-Bra0 Credited to Z-Bra0
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
wger: trainer_login open redirect - ?next= parameter not validated against host Moderate
GHSA-vqv8-j3mj-wjxj was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
wger: CSV/TSV formula injection in gym member export (first_name/last_name) High
GHSA-xq9m-hmp9-fw87 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository High
CVE-2026-44243 was published for GitPython (pip) May 6, 2026
kkkh1 Credited to kkkh1
Lemur: LDAP Filter Injection enables post-authentication privilege escalation High
CVE-2026-44304 was published for lemur (pip) May 6, 2026
kuranikaran Credited to kuranikaran
Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled Moderate
CVE-2026-44305 was published for lemur (pip) May 6, 2026
kuranikaran Credited to kuranikaran
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI Moderate
CVE-2026-44226 was published for pyload-ng (pip) May 6, 2026
Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
GHSA-hjph-f4mc-wx4c was published for mistune (pip) May 6, 2026 withdrawn
bhanugoudm041 Credited to bhanugoudm041
Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input High
CVE-2026-33079 was published for mistune (pip) May 6, 2026
kq5y Credited to kq5y
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database