GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
40 advisories
Filter by severity
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
Low
CVE-2026-53538
was published
for
python-multipart
(pip)
Jun 15, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
AIOHTTP accepts duplicate Host headers
Moderate
CVE-2026-34525
was published
for
aiohttp
(pip)
Apr 1, 2026
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Low
CVE-2025-69225
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP's unicode processing of header values could cause parsing discrepancies
Low
CVE-2025-69224
was published
for
aiohttp
(pip)
Jan 5, 2026
Eventlet affected by HTTP request smuggling in unparsed trailers
Moderate
CVE-2025-58068
was published
for
eventlet
(pip)
Aug 29, 2025
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
Moderate
GHSA-63cx-g855-hvv4
was published
for
mitmproxy
(pip)
Aug 25, 2025
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Low
CVE-2025-53643
was published
for
aiohttp
(pip)
Jul 14, 2025
h11 accepts some malformed Chunked-Encoding bodies
Critical
CVE-2025-43859
was published
for
h11
(pip)
Apr 24, 2025
Gunicorn HTTP Request/Response Smuggling vulnerability
High
CVE-2024-6827
was published
for
gunicorn
(pip)
Mar 20, 2025
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
Moderate
CVE-2024-52304
was published
for
aiohttp
(pip)
Nov 18, 2024
Waitress has request processing race condition in HTTP pipelining with invalid first request
Critical
CVE-2024-49768
was published
for
waitress
(pip)
Oct 29, 2024
twisted.web has disordered HTTP pipeline response
Moderate
CVE-2024-41671
was published
for
twisted
(pip)
Jul 29, 2024
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado
Moderate
GHSA-753j-mpmx-qq6g
was published
for
tornado
(pip)
Jun 6, 2024
Request smuggling leading to endpoint restriction bypass in Gunicorn
High
CVE-2024-1135
was published
for
gunicorn
(pip)
Apr 16, 2024
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
Moderate
CVE-2024-23829
was published
for
aiohttp
(pip)
Jan 29, 2024
aiohttp has vulnerable dependency that is vulnerable to request smuggling
Moderate
GHSA-pjjw-qhg8-p2p9
was published
for
aiohttp
(pip)
Nov 27, 2023
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
Moderate
CVE-2023-46121
was published
for
yt-dlp
(pip)
Nov 15, 2023
AIOHTTP has problems in HTTP parser (the python one, not llhttp)
Moderate
CVE-2023-47627
was published
for
aiohttp
(pip)
Nov 14, 2023
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
Low
CVE-2023-47641
was published
for
aiohttp
(pip)
Nov 14, 2023
twisted.web has disordered HTTP pipeline response
Moderate
CVE-2023-46137
was published
for
twisted
(pip)
Oct 25, 2023
Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths
Moderate
GHSA-qppv-j76h-2rpx
was published
for
tornado
(pip)
Aug 14, 2023
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Moderate
CVE-2023-37276
was published
for
aiohttp
(pip)
Jul 20, 2023
Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling
High
CVE-2023-27522
was published
for
uWSGI
(pip)
Mar 7, 2023
ProTip!
Advisories are also available from the
GraphQL API