GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
5,554 advisories
Filter by severity
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
Moderate
GHSA-4xgf-cpjx-pc3j
was published
for
pydantic-settings
(pip)
Jun 19, 2026
LangSmith SDK TracingMiddleware: Arbitrary server-side file read
High
GHSA-f4xh-w4cj-qxq8
was published
for
langsmith
(pip)
Jun 19, 2026
Zeep: Server-Side Request Forgery (SSRF)
Moderate
GHSA-4cc2-g9w2-fhf6
was published
for
zeep
(pip)
Jun 19, 2026
Anki: User scripts in iframes have access to the internal Anki API
Moderate
GHSA-cw6h-ffmh-x6vh
was published
for
aqt
(pip)
Jun 19, 2026
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
Moderate
GHSA-wvrh-2f4m-924v
was published
for
ChatterBot
(pip)
Jun 19, 2026
EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id
High
GHSA-c795-2g9c-j48m
was published
for
everos
(pip)
Jun 19, 2026
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)
High
GHSA-6gqw-jqv7-v88m
was published
for
stigmem-node
(pip)
Jun 19, 2026
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
High
GHSA-xhv3-q4xx-349r
was published
for
stigmem-node
(pip)
Jun 19, 2026
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)
High
GHSA-x26h-xmv8-gxf7
was published
for
stigmem-node
(pip)
Jun 19, 2026
MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error
High
GHSA-6v7p-g79w-8964
was published
for
msgpack
(pip)
Jun 19, 2026
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Critical
CVE-2026-55447
was published
for
langflow
(pip)
Jun 19, 2026
Langflow: Unauthenticated DoS through multipart form boundary file upload
High
CVE-2026-55446
was published
for
langflow
(pip)
Jun 19, 2026
Langflow: Logout button does not clear session
Moderate
CVE-2026-55423
was published
for
langflow
(pip)
Jun 19, 2026
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Critical
CVE-2026-55255
was published
for
langflow
(pip)
Jun 19, 2026
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
Moderate
CVE-2026-55206
was published
for
py7zr
(pip)
Jun 19, 2026
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Moderate
CVE-2026-55195
was published
for
py7zr
(pip)
Jun 19, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
Moderate
CVE-2026-55837
was published
for
dbt-mcp
(pip)
Jun 19, 2026
Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser
High
GHSA-p5wc-9w9r-m232
was published
for
ultimate-sitemap-parser
(pip)
Jun 19, 2026
Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit
High
GHSA-8823-qg2x-pv9f
was published
for
ultimate-sitemap-parser
(pip)
Jun 19, 2026
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Moderate
CVE-2026-54911
was published
for
ujson
(pip)
Jun 19, 2026
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags
Moderate
CVE-2026-55865
was published
for
python-liquid
(pip)
Jun 19, 2026
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
High
CVE-2026-54528
was published
for
jupyterlab-git
(pip)
Jun 19, 2026
jupyterlab-git extension: Stored XSS leading to RCE
High
CVE-2026-54527
was published
for
@jupyterlab/git
(npm)
Jun 19, 2026
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
High
CVE-2026-54499
was published
for
stanza
(pip)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API