Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

392 advisories

Loading
justhtml: Mutation XSS with custom foreign-namespace sanitization policies Low
GHSA-r758-8hxw-4845 was published for justhtml (pip) Apr 8, 2026
EmilStenstrom Credited to EmilStenstrom
Django vulnerable to privilege abuse in GenericInlineModelAdmin Low
CVE-2026-4277 was published for Django (pip) Apr 7, 2026
Django vulnerable to privilege abuse in ModelAdmin.list_editable Low
CVE-2026-4292 was published for Django (pip) Apr 7, 2026
OpenEXR Makes Use of Uninitialized Memory Low
CVE-2025-64181 was published for OpenEXR (pip) Apr 6, 2026
Kaldreic Credited to Kaldreic
PyBlade: SSTI/RCE via Bypassed AST Validation in sandbox.py Low
CVE-2026-5559 was published for pyblade (pip) Apr 5, 2026
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass Low
CVE-2026-34520 was published for aiohttp (pip) Apr 1, 2026
vmfunc Credited to vmfunc, oxqnd, and rodrigobnogueira oxqnd oxqnd
rodrigobnogueira rodrigobnogueira
AIOHTTP has HTTP response splitting via \r in reason phrase Low
CVE-2026-34519 was published for aiohttp (pip) Apr 1, 2026
DHIRAL2908 Credited to DHIRAL2908
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect Low
CVE-2026-34518 was published for aiohttp (pip) Apr 1, 2026
uug4na Credited to uug4na and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS Low
CVE-2026-34517 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has CRLF injection through multipart part content type header construction Low
CVE-2026-34514 was published for aiohttp (pip) Apr 1, 2026
mingijunggrape Credited to mingijunggrape
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector Low
CVE-2026-34513 was published for aiohttp (pip) Apr 1, 2026
gonas0919 Credited to gonas0919
Nautobot: Management of users via REST API does not apply configured password validators Low
CVE-2026-34203 was published for nautobot (pip) Mar 31, 2026
morimori-dev Credited to morimori-dev
Home Assistant has stored XSS in history-graphs Low
CVE-2026-33045 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
Home Assistant has stored XSS in Map-card through malicious device name Low
CVE-2026-33044 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
cryptography has incomplete DNS name constraint enforcement on peer names Low
CVE-2026-34073 was published for cryptography (pip) Mar 27, 2026
1seal Credited to 1seal and woodruffw woodruffw woodruffw
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories Low
CVE-2026-29071 was published for open-webui (pip) Mar 27, 2026
MariuszMaik Credited to MariuszMaik
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching Low
CVE-2026-4539 was published for Pygments (pip) Mar 22, 2026
nzlaura Credited to nzlaura and dnegreira dnegreira dnegreira
MindSQL is vulnerable to Code Injection through its ask_db function Low
CVE-2026-4506 was published for mindsql (pip) Mar 21, 2026
Stored XSS in Memray-generated HTML reports via unescaped command-line metadata Low
CVE-2026-32722 was published for memray (pip) Mar 16, 2026
0xmrma Credited to 0xmrma
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback Low
CVE-2026-27448 was published for pyopenssl (pip) Mar 16, 2026
Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html` Low
CVE-2026-32109 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access Low
CVE-2026-32108 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
dbt-common's commonprefix() doesn't protect against path traversal Low
CVE-2026-29790 was published for dbt-common (pip) Mar 5, 2026
sethmlarson Credited to sethmlarson and emmyoop emmyoop emmyoop
Django has a Race Condition vulnerability Low
CVE-2026-25674 was published for Django (pip) Mar 3, 2026
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret Low
CVE-2026-27167 was published for gradio (pip) Mar 1, 2026
tenbbughunters Credited to tenbbughunters
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database