GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
42 advisories
Filter by severity
mcp-atlassian: Arbitrary server-side file read via attachment upload
High
GHSA-wm45-qh3g-v83f
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
High
GHSA-52vm-mxx8-f227
was published
for
phantom-audio
(pip)
Jul 9, 2026
Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB
High
CVE-2026-49360
was published
for
recce
(pip)
Jul 2, 2026
OctoPrint has possible file exfiltration via query parameters on upload endpoints
High
CVE-2026-54134
was published
for
OctoPrint
(pip)
Jun 23, 2026
BBOT: Arbitrary File Write in postman_download Module
Moderate
CVE-2026-12568
was published
for
bbot
(pip)
Jun 18, 2026
PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion
High
GHSA-f44v-7qgw-9gh9
was published
for
praisonai
(pip)
Jun 18, 2026
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Moderate
CVE-2026-48520
was published
for
langflow
(pip)
Jun 16, 2026
Docling Core: Insufficient validation of image reference URIs
High
CVE-2026-44019
was published
for
docling-core
(pip)
Jun 3, 2026
Docling: Unsafe URI and Path Handling in HTML Backend
High
CVE-2026-47214
was published
for
docling
(pip)
Jun 3, 2026
rattler has an entry-point path traversal in noarch:python install (arbitrary file write)
Moderate
CVE-2026-47425
was published
for
py-rattler
(pip)
Jun 1, 2026
compliance-trestle - jinja has an Arbitrary File Write via Path Traversal
High
CVE-2026-46345
was published
for
compliance-trestle
(pip)
May 28, 2026
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal
High
CVE-2026-45725
was published
for
compliance-trestle
(pip)
May 27, 2026
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`
Moderate
CVE-2026-46383
was published
for
apm-cli
(pip)
May 15, 2026
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH
Moderate
CVE-2026-44353
was published
for
streamlink
(pip)
May 11, 2026
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install
High
CVE-2026-44641
was published
for
apm-cli
(pip)
May 7, 2026
changedetection.io has an Arbitrary Local File Read via a crafted backup restore
High
CVE-2026-43891
was published
for
changedetection.io
(pip)
May 5, 2026
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
Moderate
CVE-2026-39377
was published
for
nbconvert
(pip)
Apr 21, 2026
Rembg has a Path Traversal via Custom Model Loading
Moderate
CVE-2026-40086
was published
for
rembg
(pip)
Apr 10, 2026
Langflow has an Arbitrary File Write (RCE) via v2 API
Critical
CVE-2026-33309
was published
for
langflow
(pip)
Mar 19, 2026
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
Critical
CVE-2026-27825
was published
for
mcp-atlassian
(pip)
Mar 10, 2026
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading
High
CVE-2026-1669
was published
for
keras
(pip)
Feb 18, 2026
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration)
High
GHSA-gfmx-qqqh-f38q
was published
for
keras
(pip)
Feb 12, 2026
•
withdrawn
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write
Critical
CVE-2025-64712
was published
for
unstructured
(pip)
Feb 3, 2026
ProTip!
Advisories are also available from the
GraphQL API