Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,550 advisories

Loading
OpenCC has an Out-of-bounds read when processing truncated UTF-8 input Moderate
GHSA-7fqq-q52p-2jjg was published for OpenCC (npm) Mar 29, 2026
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment High
CVE-2026-34172 was published for giskard-agents (pip) Mar 27, 2026
kodareef5 Credited to kodareef5
Home Assistant has stored XSS in history-graphs Low
CVE-2026-33045 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
Home Assistant has stored XSS in Map-card through malicious device name Low
CVE-2026-33044 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
cryptography has incomplete DNS name constraint enforcement on peer names Low
CVE-2026-34073 was published for cryptography (pip) Mar 27, 2026
1seal Credited to 1seal and woodruffw woodruffw woodruffw
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions High
CVE-2026-34070 was published for langchain-core (pip) Mar 27, 2026
jiayuqi7813 Credited to jiayuqi7813, VladimirEliTokarev, and Rickidevs VladimirEliTokarev VladimirEliTokarev
Rickidevs Rickidevs
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check High
CVE-2026-34046 was published for langflow (pip) Mar 27, 2026
chximn-dt Credited to chximn-dt and AntonioABLima AntonioABLima AntonioABLima
Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters High
CVE-2026-33981 was published for changedetection.io (pip) Mar 27, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries High
CVE-2026-33980 was published for adx-mcp-server (pip) Mar 27, 2026
romain-deperne Credited to romain-deperne
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration Critical
CVE-2026-33992 was published for pyload-ng (pip) Mar 27, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys Moderate
CVE-2026-33936 was published for ecdsa (pip) Mar 27, 2026
0xmrma Credited to 0xmrma
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories Low
CVE-2026-29071 was published for open-webui (pip) Mar 27, 2026
MariuszMaik Credited to MariuszMaik
Open WebUI has unauthorized deletion of knowledge files Moderate
CVE-2026-29070 was published for open-webui (pip) Mar 27, 2026
ScaumAcktiv Credited to ScaumAcktiv
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` Moderate
CVE-2026-28786 was published for open-webui (pip) Mar 27, 2026
akshatgit Credited to akshatgit
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out High
CVE-2026-27893 was published for vllm (pip) Mar 27, 2026
Wernerina Credited to Wernerina and russellb russellb russellb
C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922) High
GHSA-wcjx-v2wj-xg87 was published for c2cciutils (pip) Mar 26, 2026
Langflow has Authenticated Code Execution in Agentic Assistant Validation Critical
CVE-2026-33873 was published for langflow (pip) Mar 26, 2026
kexinoh Credited to kexinoh and andifilhohub andifilhohub andifilhohub
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml High
CVE-2026-33744 was published for bentoml (pip) Mar 26, 2026
golang-not-rust Credited to golang-not-rust
OpenHands is Vulnerable to Command Injection through its Git Diff Handler High
CVE-2026-33718 was published for openhands (pip) Mar 25, 2026
yueyueL Credited to yueyueL and ESPanda666 ESPanda666 ESPanda666
Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components High
CVE-2025-70887 was published for signify (pip) Mar 25, 2026
Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure) Moderate
CVE-2026-33682 was published for Streamlit (pip) Mar 25, 2026
pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream Moderate
CVE-2026-33699 was published for pypdf (pip) Mar 25, 2026
kejcao Credited to kejcao and stefan6419846 stefan6419846 stefan6419846
Modoboa has OS Command Injection High
CVE-2026-27602 was published for modoboa (pip) Mar 25, 2026
ByamB4 Credited to ByamB4
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function Moderate
CVE-2026-25645 was published for requests (pip) Mar 25, 2026
Jaycelation Credited to Jaycelation, nateprewitt, and sigmavirus24 nateprewitt nateprewitt
sigmavirus24 sigmavirus24
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database