Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

5,143 advisories

Loading
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) Moderate
CVE-2026-46678 was published for pydantic-ai (pip) May 21, 2026
j0hndo Credited to j0hndo
SQLAdmin: Authorization Bypass on `ajax_lookup` Moderate
CVE-2026-46645 was published for sqladmin (pip) May 21, 2026
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL Moderate
CVE-2026-46556 was published for flaskbb (pip) May 21, 2026
woohyunchoi-kentech Credited to woohyunchoi-kentech, programsurf, and yoonsh programsurf programsurf
yoonsh yoonsh
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API Moderate
CVE-2026-46561 was published for pyload-ng (pip) May 21, 2026
offset Credited to offset
MLflow: unauthenticated access to certain FastAPI routes High
CVE-2026-2652 was published for mlflow (pip) May 15, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out High
CVE-2026-46517 was published for lmdeploy (pip) May 21, 2026
ibondarenko1 Credited to ibondarenko1
Crawlee for Python: SSRF via sitemap-derived URLs Low
CVE-2026-46497 was published for crawlee (pip) May 21, 2026
FORIMOC Credited to FORIMOC and Arturo0x90 Arturo0x90 Arturo0x90
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler Moderate
CVE-2026-8597 was published for sagemaker (pip) May 21, 2026
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path High
CVE-2026-8596 was published for sagemaker (pip) May 21, 2026
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization High
CVE-2026-46432 was published for lmdeploy (pip) May 21, 2026
beanduan22 Credited to beanduan22
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing Moderate
CVE-2026-46486 was published for mvt (pip) May 21, 2026
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
GHSA-vrxg-gm77-7q5g was published for windows-mcp (pip) May 21, 2026
Mistune Image Directive CSS Injection Vulnerability Moderate
CVE-2026-44899 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune TOC Anchor Injection XSS Moderate
CVE-2026-44898 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune Heading ID Attribute has Injection XSS Moderate
CVE-2026-44897 was published for mistune (pip) May 9, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune Math Plugin has an XSS Escape Bypass Moderate
CVE-2026-44708 was published for mistune (pip) May 8, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
Scrapy denial of service vulnerability High
CVE-2017-14158 was published for scrapy (pip) May 17, 2022
jhutchings1 Credited to jhutchings1, G-Rath, ayatweb, and Matthew-Grayson G-Rath G-Rath
ayatweb ayatweb Matthew-Grayson Matthew-Grayson
Werkzeug possible resource exhaustion when parsing file data in forms Moderate
CVE-2024-49767 was published for Quart (pip) Oct 25, 2024
defnull Credited to defnull and levpachmanov levpachmanov levpachmanov
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning Moderate
CVE-2023-46136 was published for werkzeug (pip) Oct 25, 2023
psrok1 Credited to psrok1, davidism, and levpachmanov davidism davidism
levpachmanov levpachmanov
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files Moderate
CVE-2026-3219 was published for pip (pip) Apr 20, 2026
amine-malloul-gira Credited to amine-malloul-gira and tsokalski tsokalski tsokalski
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None High
GHSA-mw8f-w6p8-xrf4 was published for wger (pip) May 20, 2026
HiyokoSauna37 Credited to HiyokoSauna37
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
gal-zafran Credited to gal-zafran
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database