GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,273 advisories
Filter by severity
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Moderate
CVE-2026-54236
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Moderate
CVE-2026-53923
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Moderate
CVE-2026-12491
was published
for
vllm
(pip)
Jun 17, 2026
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Moderate
CVE-2026-54235
was published
for
vllm
(pip)
Jun 17, 2026
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
Moderate
CVE-2026-46448
was published
for
nova
(pip)
Jun 16, 2026
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
Moderate
GHSA-x7cf-6gp3-q5f8
was published
for
openclaw
(pip)
Jun 16, 2026
•
withdrawn
yt-dlp: File Downloader cookie leak with curl
Moderate
CVE-2026-50019
was published
for
yt-dlp
(pip)
Jun 16, 2026
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Moderate
CVE-2026-48520
was published
for
langflow
(pip)
Jun 16, 2026
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
Moderate
CVE-2026-42867
was published
for
langflow
(pip)
Jun 16, 2026
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Moderate
CVE-2026-55443
was published
for
langchain
(pip)
Jun 16, 2026
Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
Moderate
GHSA-gj48-438w-jh9v
was published
for
bleach
(pip)
Jun 16, 2026
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning
Moderate
GHSA-g75f-g53v-794x
was published
for
bleach
(pip)
Jun 16, 2026
pypdf: Possible infinite loop when processing outlines/bookmarks in writer
Moderate
CVE-2026-54531
was published
for
pypdf
(pip)
Jun 16, 2026
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
Moderate
CVE-2026-54530
was published
for
pypdf
(pip)
Jun 16, 2026
pypdf: Possible large memory usage for form XObjects during text extraction
Moderate
CVE-2026-49461
was published
for
pypdf
(pip)
Jun 16, 2026
pypdf: Inefficient decoding of FlateDecode PNG predictor streams
Moderate
CVE-2026-49460
was published
for
pypdf
(pip)
Jun 16, 2026
pypdf: Manipulated XMP metadata streams can exhaust RAM
Moderate
CVE-2026-48735
was published
for
pypdf
(pip)
Jun 16, 2026
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
Moderate
GHSA-pw6j-qg29-8w7f
was published
for
tornado
(pip)
Jun 15, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
Moderate
CVE-2026-48817
was published
for
starlette
(pip)
Jun 15, 2026
aiohttp: Incomplete websocket frame payloads bypass memory limits
Moderate
CVE-2026-54274
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
Moderate
CVE-2026-54273
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Moderate
CVE-2026-54278
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Moderate
CVE-2026-54277
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Moderate
CVE-2026-54276
was published
for
aiohttp
(pip)
Jun 15, 2026
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
Moderate
CVE-2026-48525
was published
for
pyjwt
(pip)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API