Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11 advisories

Loading
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read() Moderate
CVE-2026-55206 was published for py7zr (pip) Jun 19, 2026
0xHunSec Credited to 0xHunSec
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP Critical
CVE-2026-44727 was published for jupyter-server (pip) Jun 18, 2026
pikaball Credited to pikaball, y011d4, 0xHunSec, Yann-P, and Carreau y011d4 y011d4
0xHunSec 0xHunSec Yann-P Yann-P Carreau Carreau
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning Moderate
GHSA-g75f-g53v-794x was published for bleach (pip) Jun 16, 2026
0xHunSec Credited to 0xHunSec
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
WsgiDAV encoded dot segments can escape filesystem share roots High
CVE-2026-48099 was published for wsgidav (pip) Jun 11, 2026
0xHunSec Credited to 0xHunSec
python-liquid: Absolute paths escape filesystem loader search path High
CVE-2026-45017 was published for python-liquid (pip) May 11, 2026
0xHunSec Credited to 0xHunSec
Mako: Path traversal via double-slash URI prefix in TemplateLookup High
CVE-2026-41205 was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec and augustocesarperin augustocesarperin augustocesarperin
0xHunSec Credited to 0xHunSec
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance Moderate
CVE-2026-46715 was published for Flask-Security-Too (pip) May 22, 2026
0xHunSec Credited to 0xHunSec
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup High
CVE-2026-44307 was published for Mako (pip) May 6, 2026
0xHunSec Credited to 0xHunSec
ProTip! Advisories are also available from the GraphQL API