GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,268 advisories
Filter by severity
daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames
Moderate
CVE-2026-44545
was published
for
daphne
(pip)
Jun 3, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory
Moderate
CVE-2026-8643
was published
for
pip
(pip)
Jun 1, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path()
Moderate
CVE-2026-5422
was published
for
jupyter-server
(pip)
Jun 2, 2026
Apache Airflow has no certificate validation on SMTP STARTTLS connections
Moderate
CVE-2026-49267
was published
for
apache-airflow
(pip)
Jun 1, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
vantage6 node has an Improper Access Control issue
Moderate
CVE-2026-54533
was published
for
vantage6
(pip)
Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration
Moderate
CVE-2026-54445
was published
for
vantage6
(pip)
Jun 5, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
Moderate
CVE-2026-48817
was published
for
starlette
(pip)
Jun 15, 2026
Apache Airflow has an Authorization Bypass Through User-Controlled Key
Moderate
CVE-2026-46764
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Moderate
CVE-2026-42360
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Moderate
CVE-2026-42358
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Link Following issue
Moderate
CVE-2026-40861
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Missing Authorization issue
Moderate
CVE-2026-41014
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Moderate
CVE-2026-41017
was published
for
apache-airflow
(pip)
Jun 1, 2026
MLflow: Any authenticated user can enumerate all gateway secrets, endpoints, and model definitions
Moderate
CVE-2026-3198
was published
for
mlflow
(pip)
Jun 2, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate
CVE-2026-53720
was published
for
pymonocypher
(pip)
Jul 9, 2026
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Moderate
CVE-2026-48987
was published
for
pyload-ng
(pip)
Jul 9, 2026
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
Moderate
CVE-2026-48737
was published
for
pyload-ng
(pip)
Jul 9, 2026
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Moderate
GHSA-mxwc-wh95-pw4g
was published
for
trapster
(pip)
Jul 8, 2026
Apache Airflow: Auth manager doesn't invalidate JWT tokens after users click logout
Moderate
CVE-2026-48726
was published
for
apache-airflow
(pip)
Jun 1, 2026
ProTip!
Advisories are also available from the
GraphQL API