Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

42 advisories

Loading
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
psd-tools vulnerable to arbitrary file write via smart-object filename Moderate
CVE-2026-49836 was published for psd-tools (pip) Jul 9, 2026
seankohjs Credited to seankohjs and yueyueL yueyueL yueyueL
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
OctoPrint has possible file exfiltration via query parameters on upload endpoints High
CVE-2026-54134 was published for OctoPrint (pip) Jun 23, 2026
seankohjs Credited to seankohjs and jacopotediosi jacopotediosi jacopotediosi
BBOT: Arbitrary File Write in postman_download Module Moderate
CVE-2026-12568 was published for bbot (pip) Jun 18, 2026
nedlir Credited to nedlir
PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion High
GHSA-f44v-7qgw-9gh9 was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read Moderate
CVE-2026-48520 was published for langflow (pip) Jun 16, 2026
vbCrLf Credited to vbCrLf, keval718, and andifilhohub keval718 keval718
andifilhohub andifilhohub
Docling Core: Insufficient validation of image reference URIs High
CVE-2026-44019 was published for docling-core (pip) Jun 3, 2026
brodmart Credited to brodmart
Docling: Unsafe URI and Path Handling in HTML Backend High
CVE-2026-47214 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
rattler has an entry-point path traversal in noarch:python install (arbitrary file write) Moderate
CVE-2026-47425 was published for py-rattler (pip) Jun 1, 2026
berkant-koc Credited to berkant-koc
compliance-trestle - jinja has an Arbitrary File Write via Path Traversal High
CVE-2026-46345 was published for compliance-trestle (pip) May 28, 2026
l3tchupkt Credited to l3tchupkt
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal High
CVE-2026-45725 was published for compliance-trestle (pip) May 27, 2026
AnistoMejin Credited to AnistoMejin and yantongggg yantongggg yantongggg
0xmrma Credited to 0xmrma
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH Moderate
CVE-2026-44353 was published for streamlink (pip) May 11, 2026
4tkD0g Credited to 4tkD0g and bastimeyer bastimeyer bastimeyer
0xmrma Credited to 0xmrma
changedetection.io has an Arbitrary Local File Read via a crafted backup restore High
CVE-2026-43891 was published for changedetection.io (pip) May 5, 2026
minhlh56 Credited to minhlh56
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames Moderate
CVE-2026-39377 was published for nbconvert (pip) Apr 21, 2026
g0blinResearch Credited to g0blinResearch
Rembg has a Path Traversal via Custom Model Loading Moderate
CVE-2026-40086 was published for rembg (pip) Apr 10, 2026
yueyueL Credited to yueyueL
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading High
CVE-2026-1669 was published for keras (pip) Feb 18, 2026
N3mes1s Credited to N3mes1s
Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration) High
GHSA-gfmx-qqqh-f38q was published for keras (pip) Feb 12, 2026 withdrawn
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write Critical
CVE-2025-64712 was published for unstructured (pip) Feb 3, 2026
ProTip! Advisories are also available from the GraphQL API