Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,659 advisories

Loading
Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming High
CVE-2026-2473 was published for google-cloud-aiplatform (pip) Feb 20, 2026
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint High
CVE-2026-27194 was published for dtale (pip) Feb 19, 2026
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s
Credited to N3mes1s
OpenStack Nova calls qemu-img without format restrictions for resize High
CVE-2026-24708 was published for Nova (pip) Feb 18, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
GHSA-97f8-7cmv-76j2 was published for picklescan (pip) Feb 18, 2026
zpbrent
Credited to zpbrent
NVIDIA NeMo Framework Deserializes Untrusted Data High
CVE-2025-33253 was published for nemo-toolkit (pip) Feb 18, 2026
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
GHSA-gfmx-qqqh-f38q was published for keras (pip) Feb 12, 2026 withdrawn
Pillow affected by out-of-bounds write when loading PSD images High
CVE-2026-25990 was published for pillow (pip) Feb 11, 2026
wiredfool radarhere
hugovk yardenporat353
Credited to wiredfool, radarhere, hugovk, and yardenporat353
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam tl2cents
keenanwgn A7um
Credited to XlabAITeam, tl2cents, keenanwgn, and A7um
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo
Credited to Ryu-GeonWoo
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins High
CVE-2026-25478 was published for litestar (pip) Feb 9, 2026
Sirdorblu
Credited to Sirdorblu
MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token High
CVE-2026-25650 was published for mcp-salesforce-connector (pip) Feb 6, 2026
nirhaas
Credited to nirhaas
Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL High
CVE-2026-25640 was published for pydantic-ai (pip) Feb 6, 2026
doredry urioren
amiteliahu
Credited to doredry, urioren, and amiteliahu
Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling High
CVE-2026-25580 was published for pydantic-ai (pip) Feb 6, 2026
YuvalElbar6 doredry
Credited to YuvalElbar6 and doredry
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write High
CVE-2026-25732 was published for nicegui (pip) Feb 5, 2026
k14uz falkoschindler
evnchn
Credited to k14uz, falkoschindler, and evnchn
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability High
CVE-2026-1707 was published for pgadmin4 (pip) Feb 5, 2026
Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-8x2r-v9x5-3qgh was published for pdfminer.six (pip) Feb 3, 2026 withdrawn
Boltz contains an insecure deserialization vulnerability in its molecule loading functionality High
CVE-2025-70560 was published for boltz (pip) Feb 3, 2026
Django has an SQL Injection issue High
CVE-2026-1287 was published for Django (pip) Feb 3, 2026
Django has an SQL Injection issue High
CVE-2026-1207 was published for Django (pip) Feb 3, 2026
SageMaker Python SDK has Exposed HMAC High
CVE-2026-1777 was published for sagemaker (pip) Feb 2, 2026
SageMaker Python SDK has Insecure TLS Configuration High
CVE-2026-1778 was published for sagemaker (pip) Feb 2, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database