Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,850 advisories

Loading
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
CVE-2026-41241 was published for pretalx (pip) Apr 18, 2026
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
CVE-2026-41426 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
CVE-2026-41490 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315) High
CVE-2026-41496 was published for praisonai (pip) Apr 17, 2026
BerSecHub Credited to BerSecHub
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection Critical
CVE-2026-41497 was published for praisonai (pip) Apr 17, 2026
decsecre583 Credited to decsecre583
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes Critical
CVE-2026-40525 was published for openviking (pip) Apr 17, 2026
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures Low
CVE-2026-35402 was published for mcp-neo4j-cypher (pip) Apr 17, 2026
yotampe-pluto Credited to yotampe-pluto
Sentry: Improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-27197 was published for sentry (pip) Apr 17, 2026
Muhammad-Qasim-Munir Credited to Muhammad-Qasim-Munir
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding Low
CVE-2026-41488 was published for langchain-openai (pip) Apr 16, 2026
deprrous Credited to deprrous
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Moderate
CVE-2026-41481 was published for langchain-text-splitters (pip) Apr 16, 2026
Aeg1sx Credited to Aeg1sx
Authlib: Cross-site request forging when using cache Moderate
CVE-2026-41425 was published for authlib (pip) Apr 16, 2026
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM Moderate
CVE-2026-41314 was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible long runtimes for wrong size values in incremental mode Moderate
CVE-2026-41313 was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM Moderate
CVE-2026-41312 was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
Mako: Path traversal via double-slash URI prefix in TemplateLookup Moderate
CVE-2026-41205 was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
Weblate: SSRF via the webhook add-on using unprotected fetch_url() Moderate
CVE-2026-39845 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Weblate: Privilege escalation in the user API endpoint High
CVE-2026-34393 was published for weblate (pip) Apr 16, 2026
tikket1 Credited to tikket1, nijel, and DavidCarliez nijel nijel
DavidCarliez DavidCarliez
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Moderate
CVE-2026-33440 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database