Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,850 advisories

Loading
Weblate: Improper access control for the translation memory in API Moderate
CVE-2026-33214 was published for weblate (pip) Apr 16, 2026
Weblate: Improper access control for pending tasks in API Low
CVE-2026-33212 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
Apache Airflow: RCE by race condition in example_xcom dag High
CVE-2025-54550 was published for apache-airflow (pip) Apr 16, 2026
wger has Stored XSS via Unescaped License Attribution Fields Moderate
CVE-2026-40353 was published for wger (pip) Apr 16, 2026
0xkakash1 Credited to 0xkakash1
wger has Broken Access Control in Global Gym Configuration Update Endpoint High
CVE-2026-40474 was published for wger (pip) Apr 16, 2026
VashuVats Credited to VashuVats
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen Critical
GHSA-hm2w-vr2p-hq7w was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable Critical
GHSA-2689-5p89-6j3j was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
python-multipart affected by Denial of Service via large multipart preamble or epilogue data Moderate
CVE-2026-40347 was published for python-multipart (pip) Apr 15, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil and defnull defnull defnull
pypdf has long runtimes for wrong size values in cross-reference and object streams Moderate
CVE-2026-41168 was published for pypdf (pip) Apr 15, 2026
alpakalee Credited to alpakalee and stefan6419846 stefan6419846 stefan6419846
Upsonic: remote code execution vulnerability in its MCP server/task creation functionality Critical
CVE-2026-30625 was published for upsonic (pip) Apr 15, 2026
Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access Moderate
CVE-2026-25219 was published for apache-airflow (pip) Apr 15, 2026
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
CVE-2026-41133 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
Giskard has Unsandboxed Jinja2 Template Rendering in ConformityCheck Moderate
CVE-2026-40320 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean High
CVE-2026-40683 was published for keystone (pip) Apr 14, 2026
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall Moderate
CVE-2026-40491 was published for gdown (pip) Apr 14, 2026
redyank Credited to redyank, dyingman1, drkim-dev, and HiHyeonji dyingman1 dyingman1
drkim-dev drkim-dev HiHyeonji HiHyeonji
mitmproxy has an LDAP Injection Moderate
CVE-2026-40606 was published for mitmproxy (pip) Apr 14, 2026
yueyueL Credited to yueyueL and mhils mhils mhils
excel-mcp-server has a Path Traversal issue Critical
CVE-2026-40576 was published for excel-mcp-server (pip) Apr 14, 2026
hits313 Credited to hits313
FITS GZIP decompression bomb in Pillow High
CVE-2026-40192 was published for pillow (pip) Apr 13, 2026
sammiee5311 Credited to sammiee5311
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database