Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,808 advisories

Loading
AGiXT Vulnerable to Path Traversal in safe_join() High
GHSA-5gfj-64gh-mgmw was published for agixt (pip) Apr 8, 2026
YeranG30 Credited to YeranG30
PraisonAI has Template Injection in Agent Tool Definitions High
CVE-2026-39891 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution High
CVE-2026-31040 was published for stata-mcp (pip) Apr 8, 2026
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write High
CVE-2026-34589 was published for OpenEXR (pip) Apr 8, 2026
quangIO Credited to quangIO
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write High
CVE-2026-34588 was published for OpenEXR (pip) Apr 8, 2026
quangIO Credited to quangIO
FastFeedParser has an infinite redirect loop DoS via meta-refresh chain High
CVE-2026-39376 was published for fastfeedparser (pip) Apr 8, 2026
redyank Credited to redyank
LiteLLM: Password hash exposure and pass-the-hash authentication bypass High
GHSA-69x8-hrgq-fjj8 was published for litellm (pip) Apr 8, 2026
MONAI: Unsafe functions lead to pickle deserialization rce High
GHSA-89gg-p5r5-q6r4 was published for monai (pip) Apr 7, 2026
hnking-star Credited to hnking-star
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr High
CVE-2026-34444 was published for lupa (pip) Apr 7, 2026
redyank Credited to redyank
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation High
CVE-2026-3902 was published for Django (pip) Apr 7, 2026
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit High
CVE-2026-33034 was published for Django (pip) Apr 7, 2026
PraisonAI recipe registry publish path traversal allows out-of-root file write High
CVE-2026-39308 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory High
CVE-2026-39306 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction High
CVE-2026-39307 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions High
CVE-2026-35526 was published for strawberry-graphql (pip) Apr 6, 2026
JFOZ1010 Credited to JFOZ1010, patrick91, and bellini666 patrick91 patrick91
bellini666 bellini666
strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol High
CVE-2026-35523 was published for strawberry-graphql (pip) Apr 6, 2026
bellini666 Credited to bellini666, patrick91, katzj, and WesR patrick91 patrick91
katzj katzj WesR WesR
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
pyLoad: Improper Neutralization of Special Elements used in an OS Command High
CVE-2026-35463 was published for pyload-ng (pip) Apr 4, 2026
axel-corsiez Credited to axel-corsiez
LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass High
CVE-2026-30762 was published for lightrag-hku (pip) Apr 4, 2026
Venkatatadu Credited to Venkatatadu
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
BentoML: Command Injection in cloud deployment setup script High
CVE-2026-35043 was published for bentoml (pip) Apr 3, 2026
kodareef5 Credited to kodareef5
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint High
CVE-2026-35029 was published for litellm (pip) Apr 3, 2026
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service High
CVE-2026-34824 was published for mesop (pip) Apr 3, 2026
tubadeligoz Credited to tubadeligoz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database