Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,273 advisories

Loading
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router Moderate
CVE-2026-54236 was published for vllm (pip) Jun 17, 2026
SnailSploit Credited to SnailSploit and jperezdealgaba jperezdealgaba jperezdealgaba
Aviral2642 Credited to Aviral2642, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
kexinoh Credited to kexinoh, russellb, jperezdealgaba, and DarkLight1337 russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels Moderate
CVE-2026-54235 was published for vllm (pip) Jun 17, 2026
brodmart Credited to brodmart and jperezdealgaba jperezdealgaba jperezdealgaba
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin Moderate
GHSA-x7cf-6gp3-q5f8 was published for openclaw (pip) Jun 16, 2026 withdrawn
yt-dlp: File Downloader cookie leak with curl Moderate
CVE-2026-50019 was published for yt-dlp (pip) Jun 16, 2026
seproDev Credited to seproDev, Grub4K, and bashonly Grub4K Grub4K
bashonly bashonly
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read Moderate
CVE-2026-48520 was published for langflow (pip) Jun 16, 2026
vbCrLf Credited to vbCrLf, keval718, and andifilhohub keval718 keval718
andifilhohub andifilhohub
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint Moderate
CVE-2026-42867 was published for langflow (pip) Jun 16, 2026
nekros1xx Credited to nekros1xx, Cristhianzl, andifilhohub, and AntonioABLima Cristhianzl Cristhianzl
andifilhohub andifilhohub AntonioABLima AntonioABLima
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders Moderate
CVE-2026-55443 was published for langchain (pip) Jun 16, 2026
Mistz1 Credited to Mistz1 and deprrous deprrous deprrous
Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes Moderate
GHSA-gj48-438w-jh9v was published for bleach (pip) Jun 16, 2026
BangbBros Credited to BangbBros
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning Moderate
GHSA-g75f-g53v-794x was published for bleach (pip) Jun 16, 2026
0xHunSec Credited to 0xHunSec
pypdf: Possible infinite loop when processing outlines/bookmarks in writer Moderate
CVE-2026-54531 was published for pypdf (pip) Jun 16, 2026
SagDeap Credited to SagDeap and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction Moderate
CVE-2026-54530 was published for pypdf (pip) Jun 16, 2026
SagDeap Credited to SagDeap and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible large memory usage for form XObjects during text extraction Moderate
CVE-2026-49461 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
pypdf: Inefficient decoding of FlateDecode PNG predictor streams Moderate
CVE-2026-49460 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated XMP metadata streams can exhaust RAM Moderate
CVE-2026-48735 was published for pypdf (pip) Jun 16, 2026
manop55555 Credited to manop55555 and stefan6419846 stefan6419846 stefan6419846
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` Moderate
CVE-2026-48817 was published for starlette (pip) Jun 15, 2026
aiohttp: Incomplete websocket frame payloads bypass memory limits Moderate
CVE-2026-54274 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit Moderate
CVE-2026-54273 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup Moderate
CVE-2026-54278 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines Moderate
CVE-2026-54277 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges Moderate
CVE-2026-54276 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
thesmartshadow Credited to thesmartshadow
ProTip! Advisories are also available from the GraphQL API