GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
499 advisories
Filter by severity
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
Low
CVE-2026-55630
was published
for
kiwitcms
(pip)
Jul 6, 2026
Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases
Low
CVE-2026-53759
was published
for
linuxfabrik-lib
(pip)
Jul 6, 2026
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
Low
CVE-2026-49292
was published
for
kiwitcms
(pip)
Jul 2, 2026
Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines
Low
CVE-2025-10998
was published
for
openbabel
(pip)
Jul 1, 2026
Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow
Low
CVE-2025-10995
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule
Low
CVE-2025-10994
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence
Low
CVE-2026-3408
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge
Low
CVE-2026-2705
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString
Low
CVE-2026-2704
was published
for
openbabel
(pip)
Jun 30, 2026
Flawfinder output manipulation via untrusted filenames and source text
Low
CVE-2026-48813
was published
for
flawfinder
(pip)
Jun 26, 2026
PGHoard: Password written to debug log
Low
CVE-2026-54711
was published
for
pghoard
(pip)
Jun 18, 2026
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Low
CVE-2026-12567
was published
for
bbot
(pip)
Jun 18, 2026
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
Low
CVE-2026-12566
was published
for
bbot
(pip)
Jun 18, 2026
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Low
GHSA-8rfp-98v4-mmr6
was published
for
bleach
(pip)
Jun 16, 2026
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Low
CVE-2026-54282
was published
for
Starlette
(pip)
Jun 15, 2026
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
Low
CVE-2026-53540
was published
for
python-multipart
(pip)
Jun 15, 2026
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
Low
CVE-2026-53538
was published
for
python-multipart
(pip)
Jun 15, 2026
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Low
CVE-2026-53537
was published
for
python-multipart
(pip)
Jun 15, 2026
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Low
CVE-2026-54275
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Low
CVE-2026-54280
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Low
CVE-2026-54279
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: CRLF injection in multipart headers
Low
CVE-2026-50269
was published
for
aiohttp
(pip)
Jun 15, 2026
PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
Low
CVE-2026-48524
was published
for
pyjwt
(pip)
Jun 15, 2026
Tornado has out-of-bounds memory access via C extension
Low
CVE-2026-49854
was published
for
tornado
(pip)
Jun 12, 2026
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
Low
CVE-2026-47712
was published
for
dulwich
(pip)
Jun 8, 2026
ProTip!
Advisories are also available from the
GraphQL API