GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,185 advisories
Filter by severity
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
High
CVE-2026-54446
was published
for
netlicensing-mcp
(pip)
Jul 14, 2026
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
High
GHSA-xf7x-x43h-rpqh
was published
for
json-repair
(pip)
Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service
High
GHSA-7xw9-549r-8jrc
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC: Pilot code downloaded over unverified HTTPS connection
High
CVE-2026-61668
was published
for
DIRAC
(pip)
Jul 13, 2026
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
High
CVE-2024-29033
was published
for
oauthenticator
(pip)
Mar 20, 2024
huggingface/transformers: Arbitrary Code Execution During Model Initialization in the LightGlue Model Loading Path
High
CVE-2026-5241
was published
for
transformers
(pip)
Jun 3, 2026
Diffusers: TOCTOU Trust Remote Code Bypass
High
CVE-2026-45804
was published
for
diffusers
(pip)
May 20, 2026
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment
High
GHSA-g5r6-gv6m-f5jv
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary server-side file read via attachment upload
High
GHSA-wm45-qh3g-v83f
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
High
CVE-2026-54071
was published
for
BabelDOC
(pip)
Jul 10, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
High
CVE-2026-49851
was published
for
mistune
(pip)
Jul 9, 2026
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
High
CVE-2026-48989
was published
for
windows-mcp
(pip)
May 21, 2026
Apache Airflow has a Deserialization of Untrusted Data vulnerability
High
CVE-2026-42359
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow Vulnerable to Deserialization of Untrusted Data
High
CVE-2026-45360
was published
for
apache-airflow
(pip)
Jun 1, 2026
Prefect has an Authentication Middleware Bypass when URL paths are appended with 'health' or 'ready'
High
CVE-2026-3514
was published
for
prefect
(pip)
Jun 2, 2026
Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key
High
CVE-2026-41084
was published
for
apache-airflow
(pip)
Jun 1, 2026
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
High
CVE-2026-49477
was published
for
soupsieve
(pip)
Jul 9, 2026
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists
High
CVE-2026-49476
was published
for
soupsieve
(pip)
Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
High
GHSA-52vm-mxx8-f227
was published
for
phantom-audio
(pip)
Jul 9, 2026
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
High
CVE-2026-49471
was published
for
serena-agent
(pip)
Jul 8, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
Apache Airflow: Execution API JWT leaked via KubernetesExecutor worker command-line args
High
CVE-2026-49298
was published
for
apache-airflow-core
(pip)
Jun 1, 2026
OpenStack Ironic Python Agent Includes Functionality from Untrusted Control Sphere
High
CVE-2026-43003
was published
for
ironic-python-agent
(pip)
May 1, 2026
ProTip!
Advisories are also available from the
GraphQL API