Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,185 advisories

Loading
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode High
CVE-2026-54446 was published for netlicensing-mcp (pip) Jul 14, 2026
EQSTLab Credited to EQSTLab
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS High
GHSA-xf7x-x43h-rpqh was published for json-repair (pip) Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service High
GHSA-7xw9-549r-8jrc was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
DIRAC: Pilot code downloaded over unverified HTTPS connection High
CVE-2026-61668 was published for DIRAC (pip) Jul 13, 2026
sfayer Credited to sfayer
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace High
CVE-2024-29033 was published for oauthenticator (pip) Mar 20, 2024
manics Credited to manics, consideRatio, minrk, and betatim consideRatio consideRatio
minrk minrk betatim betatim
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
zafido Credited to zafido and gal-zafran gal-zafran gal-zafran
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset High
GHSA-h4g2-xfmw-q2c9 was published for clauster (pip) Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment High
GHSA-g5r6-gv6m-f5jv was published for mcp-atlassian (pip) Jul 10, 2026
rainfantry Credited to rainfantry
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai and EQSTLab EQSTLab EQSTLab
Mistune: Potential DoS via quadratic-time parsing in parse_link_text High
CVE-2026-49851 was published for mistune (pip) Jul 9, 2026
bhanugoudm041 Credited to bhanugoudm041
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS High
CVE-2026-48989 was published for windows-mcp (pip) May 21, 2026
Apache Airflow has a Deserialization of Untrusted Data vulnerability High
CVE-2026-42359 was published for apache-airflow (pip) Jun 1, 2026
Apache Airflow Vulnerable to Deserialization of Untrusted Data High
CVE-2026-45360 was published for apache-airflow (pip) Jun 1, 2026
Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key High
CVE-2026-41084 was published for apache-airflow (pip) Jun 1, 2026
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser High
CVE-2026-49477 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists High
CVE-2026-49476 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
Goh3st Credited to Goh3st
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Apache Airflow: Execution API JWT leaked via KubernetesExecutor worker command-line args High
CVE-2026-49298 was published for apache-airflow-core (pip) Jun 1, 2026
OpenStack Ironic Python Agent Includes Functionality from Untrusted Control Sphere High
CVE-2026-43003 was published for ironic-python-agent (pip) May 1, 2026
ProTip! Advisories are also available from the GraphQL API