GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,273 advisories
Filter by severity
OpenStack Ironic allows file overwrite via directory traversal during deployment with a crafted ISO image
Moderate
CVE-2026-48681
was published
for
ironic
(pip)
Jun 4, 2026
OpenStack Ironic allows Boot Script Injection
Moderate
CVE-2026-46447
was published
for
ironic
(pip)
Jun 4, 2026
Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks
Moderate
GHSA-8f6j-263m-g72x
was published
for
app-store-server-library
(pip)
Jul 13, 2026
jupyter-server is vulnerable to CORS origin validation bypass when the `allow_origin_pat` configuration is used
Moderate
CVE-2026-6657
was published
for
jupyter-server
(pip)
Jun 3, 2026
GeoNode: Stored XSS to full account takeover
Moderate
CVE-2024-27091
was published
for
geonode
(pip)
Jul 13, 2026
daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames
Moderate
CVE-2026-44545
was published
for
daphne
(pip)
Jun 3, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Moderate
CVE-2026-48710
was published
for
starlette
(pip)
Jun 4, 2026
pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory
Moderate
CVE-2026-8643
was published
for
pip
(pip)
Jun 1, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path()
Moderate
CVE-2026-5422
was published
for
jupyter-server
(pip)
Jun 2, 2026
Apache Airflow has no certificate validation on SMTP STARTTLS connections
Moderate
CVE-2026-49267
was published
for
apache-airflow
(pip)
Jun 1, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
vantage6 node has an Improper Access Control issue
Moderate
CVE-2026-54533
was published
for
vantage6
(pip)
Jun 5, 2026
Vantage6: Set admin user and password from environment or configuration
Moderate
CVE-2026-54445
was published
for
vantage6
(pip)
Jun 5, 2026
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
Moderate
CVE-2026-48817
was published
for
starlette
(pip)
Jun 15, 2026
Apache Airflow has an Authorization Bypass Through User-Controlled Key
Moderate
CVE-2026-46764
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Moderate
CVE-2026-42360
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Moderate
CVE-2026-42358
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Link Following issue
Moderate
CVE-2026-40861
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Missing Authorization issue
Moderate
CVE-2026-41014
was published
for
apache-airflow
(pip)
Jun 1, 2026
Apache Airflow has a Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Moderate
CVE-2026-41017
was published
for
apache-airflow
(pip)
Jun 1, 2026
MLflow: Any authenticated user can enumerate all gateway secrets, endpoints, and model definitions
Moderate
CVE-2026-3198
was published
for
mlflow
(pip)
Jun 2, 2026
ProTip!
Advisories are also available from the
GraphQL API